Handbook

What's new
- Fortinet Security Fabric
- Manageability
- Networking
- Security
  - SSH MITM deep inspection
Getting started
- Installation
- Using the GUI
- Using the CLI
- FortiExplorer for iOS
- LED specifications
- Inspection mode
- Basic administration
- Firmware
- FortiGuard
- FortiCloud
- Troubleshooting your installation
- Resources
Fortinet Security Fabric
- Overview
  - Benefits
  - Components
- Configuration
- Using the Fortinet Security Fabric
- Automation stitches
- Fabric Connectors
SD-WAN
- Configuring SD-WAN
  - SD-WAN requirements
  - Configuring a basic SD-WAN deployment
- Monitoring SD-WAN
- Applying traffic shaping to SD-WAN traffic
- Viewing SD-WAN information in the Fortinet Security Fabric
High availability
- HA solutions
- FGCP HA
- FGCP HA examples
- Virtual clustering
- Full mesh HA
  - Full mesh HA example
  - Troubleshooting full mesh HA
- Operating a cluster
- Failover protection
- Session failover
- HA and load balancing
- FortiGate-VM and third-party HA
- VRRP
- FGSP
- Standalone configuration sync
Firewall
- Firewall concepts
- IPv6
- Network defense
- Policies
- Addresses
- Virtual IPs
- IP pools
- Services
- Schedules
- WAN optimization, proxies, web caching, and WCCP
- Example topologies
- WAN optimization
- Transparent and explicit proxies
- Explicit web proxy
- Explicit FTP proxy
- Web caching
- WCCP
- WAN optimization diagnose commands
Security Profiles
- Overview
- Inside FortiOS
- Inspection modes
- AntiVirus
- Web filtering
- DNS filter
  - FortiGuard botnet protection
- Application control
- Intrusion prevention
- Anti-spam filter
- Data leak prevention
- ICAP support
- FortiClient Compliance Profiles
- Proxy options
- SSL/SSH inspection
- Other considerations
Authentication
- Introduction to authentication
- Authentication servers
- Users and user groups
- FortiToken Mobile user instructions
- Managing guest access
- Configuring authenticated access
- Captive portals
- Certificate-based authentication
- Single sign-on using a FortiAuthenticator unit
- Single sign-on to Windows AD
- Agent-based FSSO
- SSO using RADIUS accounting records
- Monitoring authenticated users
- Examples and troubleshooting
IPsec VPN
- IPsec VPN concepts
  - VPN tunnels
  - VPN gateways
  - Clients, servers, and peers
  - Encryption
  - Authentication
  - Phase 1 and Phase 2 settings
  - Security Association
  - IKE and IPsec packet processing
- IPsec VPN overview
  - Types of VPNs
  - Planning your VPN
  - General preparation steps
  - How to use this guide to configure an IPsec VPN
- IPsec VPN from the GUI
  - Phase 1 configuration
  - Concentrator
  - IPsec Monitor
- Phase 1 parameters
  - Overview
  - Defining the tunnel ends
  - Choosing Main mode or Aggressive mode
  - Authenticating the FortiGate unit
  - Authenticating remote peers and clients
  - Defining IKE negotiation parameters
  - Using XAuth authentication
  - Dynamic IPsec route control
- Phase 2 parameters
  - Phase 2 settings
  - Configuring Phase 2 parameters
- Defining VPN security policies
  - Defining policy addresses
  - Defining security policies
- Gateway-to-gateway configuration
  - Gateway-to-gateway configuration
  - Testing
- Hub-and-spoke configuration
  - Configuration overview
  - Configure the hub
  - Configure the spokes
  - Dynamic spokes configuration example
- One-Click VPN (OCVPN)
  - General configuration
  - Key exchange
  - Device polling and controller information
  - System states
  - Debugging and logging
- Dynamic DNS configuration
  - Configuration overview
- FortiClient dialup-client configuration
  - Configuration overview
- FortiGate dialup-client configuration
  - Configuration overview
- Supporting IKE Mode Config clients
  - Automatic configuration overview
- Internet-browsing configuration
  - Configuration overview
- Redundant VPN configuration
  - Configuration overview
- Transparent-mode VPN configuration
  - Configuration overview
- IPv6 IPsec VPNs
  - Configuration examples
- L2TP and IPsec (Microsoft VPN)
  - Configuration overview
- GRE over IPsec (Cisco VPN)
  - Configuration overview
- Protecting OSPF with IPsec
  - Configuration overview
- Redundant OSPF routing over IPsec
  - Configuration
- BGP over dynamic IPsec
- IPsec Auto-Discovery VPN (ADVPN)
  - Example ADVPN configuration
- Logging and monitoring
  - Monitoring VPN connections
  - VPN event logs
- Troubleshooting
  - General troubleshooting tips
  - Troubleshooting L2TP and IPsec
  - Troubleshooting GRE over IPsec
SSL VPN
- Overview
- SSL VPN best practices
- Basic configuration
- SSL VPN client
  - FortiClient
  - Tunnel mode client configuration
- SSL VPN web portal
- Setup examples
- Troubleshooting
Networking
- Interfaces
- DNS
- Advanced static routing
- Dynamic routing
- Multicast forwarding
- Modems
- Troubleshooting
Transparent mode
- Overview
  - What is transparent mode?
  - Transparent mode features
- Installation
- Networking in transparent mode
- Firewalls and security in transparent mode
- IPsec VPN in transparent mode
- Using FortiManager and FortiAnalyzer
- High availability in transparent mode
  - Virtual clustering
  - MAC address assignment
- Best practices
VoIP Solutions: SIP
- Inside FortiOS: Voice over IP (VoIP) protection
- Common SIP VoIP configurations
  - Peer to peer configuration
  - SIP proxy server configuration
  - SIP redirect server configuration
  - SIP registrar configuration
  - SIP with a FortiGate
- SIP messages and media protocols
  - Hardware accelerated RTP processing
  - SIP request messages
  - SIP response messages
  - SIP message start line
  - SIP headers
  - The SIP message body and SDP session profiles
  - Example SIP messages
- The SIP session helper
  - SIP session helper configuration overview
  - Viewing, removing, and adding the SIP session helper configuration
  - Changing the port numbers that the SIP session helper listens on
  - Configuration example: SIP session helper in transparent mode
  - SIP session helper diagnose commands
- The SIP ALG
  - Enabling VoIP support from the GUI
  - SIP ALG configuration overview
  - VoIP profiles
  - Changing the port numbers that the SIP ALG listens on
  - Disabling the SIP ALG in a VoIP profile
  - SIP ALG diagnose commands
- Conflicts between the SIP ALG and the session helper
- Stateful SIP tracking, call termination, and session inactivity timeout
  - Adding a media stream timeout for SIP calls
  - Adding an idle dialog setting for SIP calls
  - Changing how long to wait for call setup to complete
- SIP and RTP/RTCP
- How the SIP ALG creates RTP pinholes
- Configuration example: SIP in transparent mode
- RTP enable/disable (RTP bypass)
- Opening and closing SIP register, contact, via and record-route pinholes
- Accepting SIP register responses
- How the SIP ALG performs NAT
  - SIP ALG source address translation
  - SIP ALG destination address translation
  - SIP call re-invite messages
  - How the SIP ALG translates IP addresses in SIP headers
  - How the SIP ALG translates IP addresses in the SIP body
  - SIP NAT scenario: source address translation (source NAT)
  - SIP NAT scenario: destination address translation (destination NAT)
  - SIP NAT configuration example: source address translation (source NAT)
  - SIP NAT configuration example: destination address translation (destination NAT)
  - SIP and RTP source NAT
  - SIP and RTP destination NAT
  - Source NAT with an IP pool
  - Different source and destination NAT for SIP and RTP
  - NAT with IP address conservation
  - Controlling how the SIP ALG NATs SIP contact header line addresses
  - Controlling NAT for addresses in SDP lines
  - Translating SIP session destination ports
  - Translating SIP sessions to multiple destination ports
  - Adding the original IP address and port to the SIP message header after NAT
- Enhancing SIP pinhole security
- Hosted NAT traversal
  - Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B
  - Hosted NAT traversal for calls between SIP Phone A and SIP Phone C
  - Restricting the RTP source IP
- SIP over IPv6
- Deep SIP message inspection
  - Actions taken when a malformed message line is found
  - Logging and statistics
  - Deep SIP message inspection best practices
  - Configuring deep SIP message inspection
- Blocking SIP request messages
- SIP rate limiting
  - Limiting the number of SIP dialogs accepted by a security policy
- SIP logging
- Inspecting SIP over SSL/TLS (secure SIP)
  - Adding the SIP server and client certificates
  - Adding SIP over SSL/TLS support to a VoIP profile
- SIP and HA–session failover and geographic redundancy
  - SIP geographic redundancy
  - Supporting geographic redundancy when blocking OPTIONS messages
  - Support for RFC 2543-compliant branch parameters
- SIP and IPS
- SIP debugging
  - SIP debug log format
  - SIP-proxy filter per VDOM
  - SIP-proxy filter command
  - SIP debug setting
  - Display SIP rate-limit data
Best practices
- General considerations
- Customer service and technical support
- Fortinet Knowledge Base
- System and performance
  - Performance
  - Shutting down
- Migration
- Environmental specifications
  - Grounding
  - Rack mounting
- Firmware
- Security Profiles (AV, Web Filtering etc.)
- Networking
- FGCP high availability
  - Heartbeat interfaces
  - Interface monitoring (port monitoring)
- WAN Optimization
- Virtual Domains (VDOMs)
- Explicit proxy
- Wireless
- Logging and reporting
  - Log management
  - System memory and hard disks
Managing devices
- Managing “bring your own device”
- Managing Fortinet devices
Server load balancing
- Inside FortiOS: server load balancing
- Basic load balancing configuration example
- Configuring load balancing
- HTTP and HTTPS load balancing, multiplexing, and persistence
- SSL/TLS load balancing
- IP, TCP, and UDP load balancing
- Example HTTP load balancing to three real web servers
- Example Basic IP load balancing configuration
- Example Adding a server load balance port forwarding virtual IP
- Example Weighted load balancing configuration
- Example HTTP and HTTPS persistence configuration
System administration
- Administrators
- Monitoring
- Replacement messages
- Administration for schools
- PPTP and L2TP
  - Configuring L2TP VPNs
  - L2TP configuration overview
- Session helpers
- Advanced concepts
Traffic shaping
- Overview
- Configuring traffic shaping
- Monitoring traffic shaping
- Traffic shaping examples
- Traffic shaping priority queueing (PRIQ)
- Troubleshooting traffic shaping
Virtual Domains
- VDOMs overview
  - Benefits
  - Configurations
- Configuring VDOMs
- Example configurations
  - Example 1: NAT mode
  - Example 2: NAT and transparent mode
- Troubleshooting VDOMs
FortiWifi and FortiAP Configuration
- Introduction to wireless networking
- Captive portals
- WiFi LAN configuration
- Access point deployment
- Remote AP setup
- Wireless mesh
  - Configuring a meshed WiFi network
  - Configuring a point-to-point bridge
- Hotspot 2.0
- Combining WiFi and wired networks with a software switch
  - FortiAP local bridging (private cloud-managed AP)
  - Using bridged FortiAPs to increase scalability
- Using remote WLAN FortiAPs
- Features for high-density deployments
- Wireless network protection
- Wireless network monitoring
- Wireless network client configuration
- Wireless network examples
  - Basic wireless network example
  - Complex wireless network example
- Managing a FortiAP with FortiCloud
  - FortiCloud-managed FortiAP WiFi
  - FortiCloud-managed FortiAP WiFi without a key
- Using a FortiWiFi unit as a client
  - Using a FortiWiFi unit in the client mode
  - Configuring a FortiAP unit as a WiFi Client in client mode
- Support for location-based services
  - Configuring location tracking
  - Viewing device location data on the FortiGate unit
- Troubleshooting
- Reference
FortiSwitch devices managed by FortiOS
- Connecting FortiLink ports
- Using the FortiGate GUI
- Using the FortiGate CLI
- Network topologies
- Optional setup tasks
- FortiSwitch port features
- FortiSwitch port security policy
- Additional capabilities
- Troubleshooting
FortiOS Carrier
- Overview of FortiOS Carrier features
  - MMS
  - GTP
- MMS Concepts
- MMS Configuration
- GTP basic concepts
- GTP Configuration
- SCTP Concepts
  - SCTP Firewall
- Troubleshooting
Sandbox inspection
- Using FortiSandbox with a FortiGate
  - Connecting a FortiGate to FortiSandbox
  - FortiSandbox console
- Sandbox integration
  - Overview
  - Example configuration
- Sandbox inspection FAQ
FortiView
- Overview
  - Enabling FortiView
  - FortiView interface
- FortiView consoles
- Reference
- Troubleshooting
Logging and reporting
- Logging and reporting overview
- Logging and reporting for small networks
- Logging and reporting for large networks
- Advanced logging
- Troubleshooting and logging
Troubleshooting
- Troubleshooting methodologies
- Troubleshooting tools
- Troubleshooting tips
- Troubleshooting resources

Home FortiGate / FortiOS 6.0.0 Handbook

6.0.0

Simple RIP example

This is an example of a typical medium-sized network configuration using RIP routing.

Your company has 3 small local networks, one for each department. These networks are connected by RIP, and then connected to the Internet. Each subnet has more than one route for redundancy. There are two central routers that are both connected to the Internet and to the other networks. If one of those routers goes down, the whole network can continue to function normally.

The ISP is running RIP, so no importing or exporting routes is required on the side of the network. However, since the internal networks have static networking running, those will need to be redistributed through the RIP network.

To keep the example simple, there will be no authentication of router traffic.

With RIP properly configured, if the device fails or temporarily goes offline, the routes will change and traffic will continue to flow. RIP is good for a smaller network due to its lack of complex configurations.

Network layout and assumptions

Basic network layout

Your company has 3 departments each with their own network: Sales, R&D, and Accounting. Each network has routers that are not running RIP and FortiGate devices running RIP.

The R&D network has two RIP routers, and each is connected to both other departments as well as being connected to the Internet through the ISP router. The links to the Internet are indicated in black.

The three internal networks do not run RIP. They use static routing because they are small networks. This means the FortiGate devices have to redistribute any static routes they learn so that the internal networks can communicate with each other.

Where possible in this example, the default values will be used (or the most general settings). This is intended to provide an easier configuration that will require less troubleshooting.

In this example, the routers, networks, interfaces used, and IP addresses are as follows. Note that the interfaces that connect Router2 and Router3 also connect to the R&D network.

RIP example network topology

Network	Router	Interface & alias	IP address
Sales	Router1	port1 (internal)	10.11.101.101
		port2 (router2)	10.11.201.101
		port3 (router3)	10.11.202.101
R&D	Router2	port1 (internal)	10.12.101.102
		port2 (router1)	10.11.201.102
		port3 (router4)	10.14.201.102
		port4 (ISP)	172.20.120.102
	Router3	port1 (internal)	10.12.101.103
		port2 (router1)	10.11.201.103
		port3 (router4)	10.14.202.103
		port4 (ISP)	172.20.120.103
Accounting	Router4	port1 (internal)	10.14.101.104
		port2 (router2)	10.14.201.104
		port3 (router3)	10.14.202.104

Network topology for the simple RIP example

Assumptions

This example makes the following assumptions:

All FortiGate devices have 5.0 firmware and are running factory default settings.
All CLI and GUI navigation assumes the unit is running in NAT mode, with VDOMs disabled.
All FortiGate devices have interfaces labeled port1 through port4, as required.
All firewalls have been configured for each FortiGate to allow the required traffic to flow across interfaces.
Only FortiGate devices are running RIP on the internal networks.
Router2 and Router3 are connected through the internal network for R&D.
Router2 and Router3 each have their own connection to the Internet, indicated in black in the diagram above.

General configuration steps

This example is very straightforward. The steps involved are:

Configuring FortiGate system information
Configuring FortiGate RIP router information
Configuring other networking devices
Testing network configuration

Configuring FortiGate system information

You must configure the hostname and interfaces for each FortiGate.

For IP numbering, Router2 and Router3 use the numbering for the other routers, where needed.

Router2 and Router3 have link health monitoring enabled on the ISP interfaces using Ping. Remember to contact the ISP and confirm their server has ping enabled.

Configure the hostname, interfaces, and default route

To configure Router1 system information - GUI:

Go to System > Settings.
In the Host name field, enter Router1.
Go to Network > Static Routes.
Edit the default route and enter the following information:

Destination	0.0.0.0/0.0.0.0
Interface	port2 (router2)
Gateway Address	172.20.120.5/255.255.255.0
Administrative Distance	40

Enter a second default route and enter the following information:

Destination	0.0.0.0/0.0.0.0
Interface	port3 (router3)
Gateway Address	172.20.120.5/255.255.255.0
Administrative Distance	40

Go to Network > Interfaces.
Edit port1 (internal) interface.
Set the following information, and select OK.

Alias	internal
IP/Network Mask	10.11.101.101/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	Internal sales network
Interface State	Enabled

Edit port2 (router2) interface.
Set the following information, and select OK.

Alias	router2
IP/Network Mask	10.11.201.101/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	Link to R&D network & Internet through Router2
Interface State	Enabled

Edit port3 (router3) interface.
Set the following information, and select OK.

Alias	router3
IP/Network Mask	10.11.202.101/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	Link to R&D network and Internet through Router3
Interface State	Enabled

To configure Router1 system information - CLI:

config system global

set hostname Router1

end

config router static

edit 1

set device "port2"

set distance 45

set gateway 10.11.201.102

edit 2

set device "port3"

set distance 45

set gateway 10.11.202.103

end

config system interface

edit port1

set alias internal

set ip 10.11.101.101/255.255.255.0

set allowaccess https ssh ping

set description "Internal sales network"

edit port2

set alias ISP

set allowaccess https ssh ping

set ip 10.11.201.101/255.255.255.0

set description "Link to R&D network & Internet through Router2"

edit port3

set alias router3

set ip 10.11.202.101/255.255.255.0

set allowaccess https ssh ping

set description "Link to R&D network & Internet through Router2"

end

To configure Router2 system information - GUI:

Go to System > Settings.
In the Host name field, enter Router2.
Go to Network > Static Routes.
Edit the default route and enter the following information:

Destination	0.0.0.0/0.0.0.0
Interface	port4 (ISP)
Gateway Address	172.20.120.5/255.255.255.0
Administrative Distance	5

Go to Network > Interfaces.
Edit port1 (internal) interface.
Set the following information and select OK.

Alias	internal
IP/Network Mask	10.12.101.102/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	R&D internal network and Router3
Interface State	Enabled

Edit port2 (router1) interface.
Set the following information and select OK.

Alias	router1
IP/Network Mask	10.12.201.102/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	Link to Router1 and the Sales network
Interface State	Enabled

Edit port3 (router4) interface.
Set the following information and select OK.

Alias	router4
IP/Network Mask	10.12.301.102/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	Link to Router4 and the accounting network
Interface State	Enabled

Edit port4 (ISP) interface.
Set the following information and select OK.

Alias	ISP
IP/Network Mask	172.20.120.102/255.255.255.0
Administrative Access	HTTPS SSH PING
Device Detection	enable
Comments	Internet through ISP
Interface State	Enabled

To configure Router2 system information - CLI:

config system global

set hostname Router2

end

config router static

edit 1

set device "port4"

set distance 5

set gateway 172.20.130.5

end

config system interface

edit port1

set alias internal

set ip 10.11.101.102/255.255.255.0

set allowaccess https ssh ping

set description "Internal RnD network and Router3"

edit port2

set alias router1

set allowaccess https ssh ping

set ip 10.11.201.102/255.255.255.0

set description "Link to Router1"

edit port3

set alias router3

set ip 10.14.202.102/255.255.255.0

set allowaccess https ssh ping

set description "Link to Router4"

edit port4

set alias ISP

set ip 172.20.120.102/255.255.255.0

set allowaccess https ssh ping

set description "ISP and Internet"

end

To configure Router3 system information - GUI:

Go to System > Settings.
In the Host name field, enter Router3.
Go to Network > Static Routes.
Edit the default route and enter the following information:

Destination	0.0.0.0/0.0.0.0
Interface	port4 (ISP)
Gateway Address	172.20.120.5/255.255.255.0
Administrative Distance	5

Go to Network > Interfaces.
Edit port1 (internal) interface.
Set the following information and select OK.

Alias	internal
IP/Network Mask	10.12.101.103/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	R&D internal network and Router2
Interface State	Enabled

Edit port2 (router1) interface.
Set the following information and select OK.

Alias	router1
IP/Network Mask	10.13.201.103/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	Link to Router1 and Sales network
Interface State	Enabled

Edit port3 (router4) interface.
Set the following information and select OK.

Alias	router4
IP/Network Mask	10.13.301.103/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	Link to Router4 and accounting network
Interface State	Enabled

Edit port4 (ISP) interface.
Set the following information and select OK.

Alias	ISP
IP/Network Mask	172.20.120.103/255.255.255.0
Administrative Access	HTTPS SSH PING
Device Detection	enable
Comments	Internet and ISP
Interface State	Enabled

To configure Router3 system information - CLI:

config system global

set hostname Router3

end

config router static

edit 1

set device "port4"

set distance 5

set gateway 172.20.130.5

end

config system interface

edit port1

set alias internal

set ip 10.12.101.103/255.255.255.0

set allowaccess https ssh ping

set description “Internal RnD network and Router2”

edit port2

set alias ISP

set allowaccess https ssh ping

set ip 10.11.201.103/255.255.255.0

set description “Link to Router1”

edit port3

set alias router3

set ip 10.14.202.103/255.255.255.0

set allowaccess https ssh ping

set description “Link to Router4”

edit port4

set alias ISP

set ip 172.20.120.103/255.255.255.0

set allowaccess https ssh ping

set description “ISP and Internet”

end

To configure Router4 system information - GUI:

Go to System > Settings.
In the Host name field, enter Router4.
Go to Network > Static Routes.
Edit the default route and enter the following information:

Destination	0.0.0.0/0.0.0.0
Interface	port2 (router2)
Gateway Address	172.20.120.5/255.255.255.0
Administrative Distance	40

Enter a second default route and enter the following information:

Destination	0.0.0.0/0.0.0.0
Interface	port3 (router3)
Gateway Address	172.20.120.5/255.255.255.0
Administrative Distance	40

Go to Network > Interfaces.
Edit port 1 (internal) interface.
Set the following information and select OK.

Alias	internal
IP/Network Mask	10.14.101.104/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	Internal accounting network
Interface State	Enabled

Edit port 2 (router2) interface.
Set the following information and select OK.

Alias	router2
IP/Network Mask	10.14.201.104/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	Link to R&D network & Internet through Router2
Interface State	Enabled

Edit port 3 (router3) interface.
Set the following information and select OK.

Alias	router3
IP/Network Mask	10.14.301.104/255.255.255.0
Administrative Access	HTTPS SSH PING
Comments	Link to R&D network and Internet through Router3
Interface State	Enabled

To configure Router4 system information - CLI:

config system global

set hostname Router4

end

config router static

edit 1

set device "port2"

set distance 45

set gateway 10.14.201.102

edit 2

set device "port3"

set distance 45

set gateway 10.14.202.103

end

config system interface

edit port1

set alias internal

set ip 10.14.101.104/255.255.255.0

set allowaccess https ssh ping

set description "Internal sales network"

edit port2

set alias router2

set allowaccess https ssh ping

set ip 10.14.201.104/255.255.255.0

set description "Link to R&D network & Internet through Router2"

edit port3

set alias router3

set ip 10.14.202.104/255.255.255.0

set allowaccess https ssh ping

set description "Link to R&D network & Internet through Router2"

end

Configuring FortiGate RIP router information

With the interfaces configured, RIP can now be configured on the FortiGate.

For each FortiGate, the following steps will be taken:

Configure RIP version used
Redistribute static networks
Add networks serviced by RIP
Add interfaces that support RIP on the FortiGate

Router1 and Router4 are configured the same. Router2 and Router3 are configured the same. These routers will be grouped accordingly for the following procedures. Repeat the procedures once for each FortiGate.

Configure RIP settings on Router1 and Router4 - GUI:

Go to Network > RIP.
Select 2 for Version.
In Advanced Options, under Redistribute enable Static. Leave the other advanced options at their default values.
Under Networks, add the following networks:
- 10.11.0.0/255.255.0.0
- 10.12.0.0/255.255.0.0
- 10.14.0.0/255.255.0.0
- 172.20.120.0/255.255.255.0
Under Interfaces, select Create New and set the following information:

Interface	port1 (internal)
Passive	disabled
Authentication	None
Send Version	Both
Receive Version	Both

Under Interfaces select Create New and set the following information:

Interface	port2 (router2)
Passive	disabled
Authentication	None
Send Version	Both
Receive Version	Both

Under Interfaces, select Create New and set the following information:

Interface	port3 (router3)
Passive	disabled
Authentication	None
Send Version	Both
Receive Version	Both

Configure RIP settings on Router1 and Router4 - CLI:

config router rip

set version 2

config interface

edit "port1"

set receive-version 1 2

set send-version 1 2

edit "port2"

set receive-version 1 2

set send-version 1 2

edit "port3"

set receive-version 1 2

set send-version 1 2

end

config network

edit 1

set prefix 10.11.0.0 255.255.0.0

edit 2

set prefix 10.12.0.0 255.255.0.0

edit 3

set prefix 10.14.0.0 255.255.0.0

edit 4

set prefix 172.20.120.0 255.255.255.0

end

config redistribute "static"

set status enable

end

Configure RIP settings on Router2 and Router3 - GUI:

Go to Network > RIP.
Select 2 for RIP.
In Advanced Options, under Redistribute enable Static. Leave the other advanced options at their default values.
Under Networks, add the following networks:
- 10.11.0.0/255.255.0.0
- 10.12.0.0/255.255.0.0
- 10.14.0.0/255.255.0.0
- 172.20.120.0/255.255.255.0
Under Interfaces, select Create New and set the following information:

Interface	port1 (internal)
Passive	disabled
Authentication	None
Send Version	Both
Receive Version	Both

Under Interfaces, select Create New and set the following information:

Interface	port2 (router1)
Passive	disabled
Authentication	None
Send Version	Both
Receive Version	Both

Under Interfaces, select Create New and set the following information:

Interface	port3 (router4)
Passive	disabled
Authentication	None
Send Version	Both
Receive Version	Both

Under Interfaces, select Create New and set the following information:

Interface	port4 (ISP)
Passive	disabled
Authentication	None
Send Version	Both
Receive Version	Both

Configure RIP settings on Router2 and Router3 - GUI:

config router rip

set version 2

config interface

edit "port1"

set receive-version 1 2

set send-version 1 2

edit "port2"

set receive-version 1 2

set send-version 1 2

edit "port3"

set receive-version 1 2

set send-version 1 2

end

edit "port4"

set receive-version 1 2

set send-version 1 2

end

config network

edit 1

set prefix 10.11.0.0 255.255.0.0

edit 2

set prefix 10.12.0.0 255.255.0.0

edit 3

set prefix 10.14.0.0 255.255.0.0

edit 4

set prefix 172.20.120.0 255.255.255.0

end

config redistribute "static"

set status enable

end

Configuring other networking devices

In this example, there are two groups of other devices on the the network: internal devices and the ISP.

The first is the internal network devices on the Sales, R&D, and Accounting networks. This includes simple static routers, computers, printers, and other network devices. Once the FortiGate devices are configured, the internal static routers need to be configured using the internal network IP addresses. Otherwise, there should be no configuration required.

The second group of devices is the ISP. This consists of the RIP router the FortiGate Router2 and Router3 connect to. You need to contact your ISP and ensure they have your information for your network, such as the IP addresses of the connecting RIP routers, what version of RIP your network supports, and what authentication (if any) is used.

Testing network configuration

Once the network has been configured, you need to test that it works as expected.

The two series of tests you need to run are to test the internal networks can communicate with each other, and that the internal networks can reach the Internet.

Use ping, traceroute, and other networking tools to run these tests.

If you encounter problems, for troubleshooting help consult Troubleshooting RIP.

IPsec auto discovery support

The following routing settings are available in the CLI to support IPsec auto discovery. They are designed for:

Supporting the RIPng (RIP next generation) network command
Limiting the maximum metric allowed to output for RIPng
Fix NSM missing kernel address update information

The actual new settings are:

config router rip

set max-out-metric <integer value 1 - 15>

end

config router ripng

set max-out-metric <integer value 1 - 15>

end

config router ripng

config network

edit <network-ID>

set prefix <IPv6-prefix>

end