Handbook

What's new
- Fortinet Security Fabric
- Manageability
- Networking
- Security
  - SSH MITM deep inspection
Getting started
- Installation
- Using the GUI
- Using the CLI
- FortiExplorer for iOS
- LED specifications
- Inspection mode
- Basic administration
- Firmware
- FortiGuard
- FortiCloud
- Troubleshooting your installation
- Resources
Fortinet Security Fabric
- Overview
  - Benefits
  - Components
- Configuration
- Using the Fortinet Security Fabric
- Automation stitches
- Fabric Connectors
SD-WAN
- Configuring SD-WAN
  - SD-WAN requirements
  - Configuring a basic SD-WAN deployment
- Monitoring SD-WAN
- Applying traffic shaping to SD-WAN traffic
- Viewing SD-WAN information in the Fortinet Security Fabric
High availability
- HA solutions
- FGCP HA
- FGCP HA examples
- Virtual clustering
- Full mesh HA
  - Full mesh HA example
  - Troubleshooting full mesh HA
- Operating a cluster
- Failover protection
- Session failover
- HA and load balancing
- FortiGate-VM and third-party HA
- VRRP
- FGSP
- Standalone configuration sync
Firewall
- Firewall concepts
- IPv6
- Network defense
- Policies
- Addresses
- Virtual IPs
- IP pools
- Services
- Schedules
- WAN optimization, proxies, web caching, and WCCP
- Example topologies
- WAN optimization
- Transparent and explicit proxies
- Explicit web proxy
- Explicit FTP proxy
- Web caching
- WCCP
- WAN optimization diagnose commands
Security Profiles
- Overview
- Inside FortiOS
- Inspection modes
- AntiVirus
- Web filtering
- DNS filter
  - FortiGuard botnet protection
- Application control
- Intrusion prevention
- Anti-spam filter
- Data leak prevention
- ICAP support
- FortiClient Compliance Profiles
- Proxy options
- SSL/SSH inspection
- Other considerations
Authentication
- Introduction to authentication
- Authentication servers
- Users and user groups
- FortiToken Mobile user instructions
- Managing guest access
- Configuring authenticated access
- Captive portals
- Certificate-based authentication
- Single sign-on using a FortiAuthenticator unit
- Single sign-on to Windows AD
- Agent-based FSSO
- SSO using RADIUS accounting records
- Monitoring authenticated users
- Examples and troubleshooting
IPsec VPN
- IPsec VPN concepts
  - VPN tunnels
  - VPN gateways
  - Clients, servers, and peers
  - Encryption
  - Authentication
  - Phase 1 and Phase 2 settings
  - Security Association
  - IKE and IPsec packet processing
- IPsec VPN overview
  - Types of VPNs
  - Planning your VPN
  - General preparation steps
  - How to use this guide to configure an IPsec VPN
- IPsec VPN from the GUI
  - Phase 1 configuration
  - Concentrator
  - IPsec Monitor
- Phase 1 parameters
  - Overview
  - Defining the tunnel ends
  - Choosing Main mode or Aggressive mode
  - Authenticating the FortiGate unit
  - Authenticating remote peers and clients
  - Defining IKE negotiation parameters
  - Using XAuth authentication
  - Dynamic IPsec route control
- Phase 2 parameters
  - Phase 2 settings
  - Configuring Phase 2 parameters
- Defining VPN security policies
  - Defining policy addresses
  - Defining security policies
- Gateway-to-gateway configuration
  - Gateway-to-gateway configuration
  - Testing
- Hub-and-spoke configuration
  - Configuration overview
  - Configure the hub
  - Configure the spokes
  - Dynamic spokes configuration example
- One-Click VPN (OCVPN)
  - General configuration
  - Key exchange
  - Device polling and controller information
  - System states
  - Debugging and logging
- Dynamic DNS configuration
  - Configuration overview
- FortiClient dialup-client configuration
  - Configuration overview
- FortiGate dialup-client configuration
  - Configuration overview
- Supporting IKE Mode Config clients
  - Automatic configuration overview
- Internet-browsing configuration
  - Configuration overview
- Redundant VPN configuration
  - Configuration overview
- Transparent-mode VPN configuration
  - Configuration overview
- IPv6 IPsec VPNs
  - Configuration examples
- L2TP and IPsec (Microsoft VPN)
  - Configuration overview
- GRE over IPsec (Cisco VPN)
  - Configuration overview
- Protecting OSPF with IPsec
  - Configuration overview
- Redundant OSPF routing over IPsec
  - Configuration
- BGP over dynamic IPsec
- IPsec Auto-Discovery VPN (ADVPN)
  - Example ADVPN configuration
- Logging and monitoring
  - Monitoring VPN connections
  - VPN event logs
- Troubleshooting
  - General troubleshooting tips
  - Troubleshooting L2TP and IPsec
  - Troubleshooting GRE over IPsec
SSL VPN
- Overview
- SSL VPN best practices
- Basic configuration
- SSL VPN client
  - FortiClient
  - Tunnel mode client configuration
- SSL VPN web portal
- Setup examples
- Troubleshooting
Networking
- Interfaces
- DNS
- Advanced static routing
- Dynamic routing
- Multicast forwarding
- Modems
- Troubleshooting
Transparent mode
- Overview
  - What is transparent mode?
  - Transparent mode features
- Installation
- Networking in transparent mode
- Firewalls and security in transparent mode
- IPsec VPN in transparent mode
- Using FortiManager and FortiAnalyzer
- High availability in transparent mode
  - Virtual clustering
  - MAC address assignment
- Best practices
VoIP Solutions: SIP
- Inside FortiOS: Voice over IP (VoIP) protection
- Common SIP VoIP configurations
  - Peer to peer configuration
  - SIP proxy server configuration
  - SIP redirect server configuration
  - SIP registrar configuration
  - SIP with a FortiGate
- SIP messages and media protocols
  - Hardware accelerated RTP processing
  - SIP request messages
  - SIP response messages
  - SIP message start line
  - SIP headers
  - The SIP message body and SDP session profiles
  - Example SIP messages
- The SIP session helper
  - SIP session helper configuration overview
  - Viewing, removing, and adding the SIP session helper configuration
  - Changing the port numbers that the SIP session helper listens on
  - Configuration example: SIP session helper in transparent mode
  - SIP session helper diagnose commands
- The SIP ALG
  - Enabling VoIP support from the GUI
  - SIP ALG configuration overview
  - VoIP profiles
  - Changing the port numbers that the SIP ALG listens on
  - Disabling the SIP ALG in a VoIP profile
  - SIP ALG diagnose commands
- Conflicts between the SIP ALG and the session helper
- Stateful SIP tracking, call termination, and session inactivity timeout
  - Adding a media stream timeout for SIP calls
  - Adding an idle dialog setting for SIP calls
  - Changing how long to wait for call setup to complete
- SIP and RTP/RTCP
- How the SIP ALG creates RTP pinholes
- Configuration example: SIP in transparent mode
- RTP enable/disable (RTP bypass)
- Opening and closing SIP register, contact, via and record-route pinholes
- Accepting SIP register responses
- How the SIP ALG performs NAT
  - SIP ALG source address translation
  - SIP ALG destination address translation
  - SIP call re-invite messages
  - How the SIP ALG translates IP addresses in SIP headers
  - How the SIP ALG translates IP addresses in the SIP body
  - SIP NAT scenario: source address translation (source NAT)
  - SIP NAT scenario: destination address translation (destination NAT)
  - SIP NAT configuration example: source address translation (source NAT)
  - SIP NAT configuration example: destination address translation (destination NAT)
  - SIP and RTP source NAT
  - SIP and RTP destination NAT
  - Source NAT with an IP pool
  - Different source and destination NAT for SIP and RTP
  - NAT with IP address conservation
  - Controlling how the SIP ALG NATs SIP contact header line addresses
  - Controlling NAT for addresses in SDP lines
  - Translating SIP session destination ports
  - Translating SIP sessions to multiple destination ports
  - Adding the original IP address and port to the SIP message header after NAT
- Enhancing SIP pinhole security
- Hosted NAT traversal
  - Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B
  - Hosted NAT traversal for calls between SIP Phone A and SIP Phone C
  - Restricting the RTP source IP
- SIP over IPv6
- Deep SIP message inspection
  - Actions taken when a malformed message line is found
  - Logging and statistics
  - Deep SIP message inspection best practices
  - Configuring deep SIP message inspection
- Blocking SIP request messages
- SIP rate limiting
  - Limiting the number of SIP dialogs accepted by a security policy
- SIP logging
- Inspecting SIP over SSL/TLS (secure SIP)
  - Adding the SIP server and client certificates
  - Adding SIP over SSL/TLS support to a VoIP profile
- SIP and HA–session failover and geographic redundancy
  - SIP geographic redundancy
  - Supporting geographic redundancy when blocking OPTIONS messages
  - Support for RFC 2543-compliant branch parameters
- SIP and IPS
- SIP debugging
  - SIP debug log format
  - SIP-proxy filter per VDOM
  - SIP-proxy filter command
  - SIP debug setting
  - Display SIP rate-limit data
Best practices
- General considerations
- Customer service and technical support
- Fortinet Knowledge Base
- System and performance
  - Performance
  - Shutting down
- Migration
- Environmental specifications
  - Grounding
  - Rack mounting
- Firmware
- Security Profiles (AV, Web Filtering etc.)
- Networking
- FGCP high availability
  - Heartbeat interfaces
  - Interface monitoring (port monitoring)
- WAN Optimization
- Virtual Domains (VDOMs)
- Explicit proxy
- Wireless
- Logging and reporting
  - Log management
  - System memory and hard disks
Managing devices
- Managing “bring your own device”
- Managing Fortinet devices
Server load balancing
- Inside FortiOS: server load balancing
- Basic load balancing configuration example
- Configuring load balancing
- HTTP and HTTPS load balancing, multiplexing, and persistence
- SSL/TLS load balancing
- IP, TCP, and UDP load balancing
- Example HTTP load balancing to three real web servers
- Example Basic IP load balancing configuration
- Example Adding a server load balance port forwarding virtual IP
- Example Weighted load balancing configuration
- Example HTTP and HTTPS persistence configuration
System administration
- Administrators
- Monitoring
- Replacement messages
- Administration for schools
- PPTP and L2TP
  - Configuring L2TP VPNs
  - L2TP configuration overview
- Session helpers
- Advanced concepts
Traffic shaping
- Overview
- Configuring traffic shaping
- Monitoring traffic shaping
- Traffic shaping examples
- Traffic shaping priority queueing (PRIQ)
- Troubleshooting traffic shaping
Virtual Domains
- VDOMs overview
  - Benefits
  - Configurations
- Configuring VDOMs
- Example configurations
  - Example 1: NAT mode
  - Example 2: NAT and transparent mode
- Troubleshooting VDOMs
FortiWifi and FortiAP Configuration
- Introduction to wireless networking
- Captive portals
- WiFi LAN configuration
- Access point deployment
- Remote AP setup
- Wireless mesh
  - Configuring a meshed WiFi network
  - Configuring a point-to-point bridge
- Hotspot 2.0
- Combining WiFi and wired networks with a software switch
  - FortiAP local bridging (private cloud-managed AP)
  - Using bridged FortiAPs to increase scalability
- Using remote WLAN FortiAPs
- Features for high-density deployments
- Wireless network protection
- Wireless network monitoring
- Wireless network client configuration
- Wireless network examples
  - Basic wireless network example
  - Complex wireless network example
- Managing a FortiAP with FortiCloud
  - FortiCloud-managed FortiAP WiFi
  - FortiCloud-managed FortiAP WiFi without a key
- Using a FortiWiFi unit as a client
  - Using a FortiWiFi unit in the client mode
  - Configuring a FortiAP unit as a WiFi Client in client mode
- Support for location-based services
  - Configuring location tracking
  - Viewing device location data on the FortiGate unit
- Troubleshooting
- Reference
FortiSwitch devices managed by FortiOS
- Connecting FortiLink ports
- Using the FortiGate GUI
- Using the FortiGate CLI
- Network topologies
- Optional setup tasks
- FortiSwitch port features
- FortiSwitch port security policy
- Additional capabilities
- Troubleshooting
FortiOS Carrier
- Overview of FortiOS Carrier features
  - MMS
  - GTP
- MMS Concepts
- MMS Configuration
- GTP basic concepts
- GTP Configuration
- SCTP Concepts
  - SCTP Firewall
- Troubleshooting
Sandbox inspection
- Using FortiSandbox with a FortiGate
  - Connecting a FortiGate to FortiSandbox
  - FortiSandbox console
- Sandbox integration
  - Overview
  - Example configuration
- Sandbox inspection FAQ
FortiView
- Overview
  - Enabling FortiView
  - FortiView interface
- FortiView consoles
- Reference
- Troubleshooting
Logging and reporting
- Logging and reporting overview
- Logging and reporting for small networks
- Logging and reporting for large networks
- Advanced logging
- Troubleshooting and logging
Troubleshooting
- Troubleshooting methodologies
- Troubleshooting tools
- Troubleshooting tips
- Troubleshooting resources

Home FortiGate / FortiOS 6.0.0 Handbook

6.0.0

Basic OSPF example

This example sets up an OSPF network at a small office. There are 3 routers, all running OSPFv2. The border router connects to a BGP network.

All three routers in this example are FortiGate devices. Router1 will be the designated router (DR) and Router2 will be the backup designated router (BDR) due to their priorities. Router3 won't be considered for either the DR or BDR elections. Instead, Router3 is the Autonomous System Border Router (ASBR) routing all traffic to the ISP’s BGP router on its way to the Internet.

Router2 has a modem connected that provides dialup access to the Internet as well, at a reduced bandwidth. This is a PPPoE connection to a DSL modem. This provides an alternate route to the Internet if the other route goes down. The DSL connection is slow and is charged by the amount of traffic. For these reasons, OSPF will highly favor Router3’s Internet access.

The DSL connection connects to an OSPF network with the ISP, so no redistribution of routes is required. However, the ISP network does have to be added to that router’s configuration.

Network layout and assumptions

There are three FortiGate devices acting as OSPFv2 routers on the network: Router1, Router2, and Router3. Router1 will be the DR, and Router 2 the BDR. Router3 is the ASBR that connects to the external ISP router running BGP. Router2 has a PPPoE DSL connection that can access the Internet.

The head office network is connected to Router1 and Router2 on the 10.11.101.0 subnet.

Router1 and Router3 are connected over the 10.11.103.0 subnet.

Router2 and Router3 are connected over the 10.11.102.0 subnet.

The following table lists the router, interface, address, and role it's assigned.

Routers, interfaces, and IP addresses for the basic OSPF example network

Router name	Interface	IP address	Interface is connected to:
Router1 (DR)	Internal (port1)	10.11.101.1	Head office network and Router2
Router1 (DR)	External (port2)	10.11.102.1	Router3
Router2 (BDR)	Internal (port1)	10.11.101.2	Head office network and Router1
	External (port2)	10.11.103.2	Router3
	DSL (port3)	10.12.101.2	PPPoE DSL access
Router3 (ASBR)	Internal1 (port1)	10.11.102.3	Router1
	Internal2 (port2)	10.11.103.3	Router2
	External (port3)	172.20.120.3	ISP’s BGP network

Basic OSPF network topology

Note that other subnets can be added to the internal interfaces without changing the configuration.

Assumptions

The FortiGate devices used in this example have interfaces named port1, port2, and port3.
All FortiGate devices in this example have factory default configuration with FortiOS 4.0 MR2 firmware installed and are in NAT mode.
Basic firewalls are in place to allow unfiltered traffic between all connected interfaces in both directions.
This OSPF network is not connected to any other OSPF networks.
Both Internet connections are always available.
The modem connection is very slow and expensive.
Other devices may be on the network, but do not affect this basic configuration.
Router3 is responsible for redistributing all routes into and out of the OSPF AS.

Configuring the FortiGate devices

Each FortiGate needs the interfaces and basic system information, such as hostname, configured.

Configuring Router1

Router1 has two interfaces connected to the network: internal (port1) and external (port2). Its host name must be changed to Router1.

To configure Router1 interfaces - GUI:

Go to System > Settings.
In the Host name field, enter hostname of Router1 and select Apply.
Go to Network > Interfaces, edit port1, set the following information, and select OK.

Alias	internal
IP/Network Mask	10.11.101.1/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Head office and Router2
Interface State	Enabled

Edit port2, set the following information and select OK.

Alias	External
IP/Network Mask	10.11.102.1/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Router3
Interface State	Enabled

Configuring Router2

Router2 configuration is the same as Router1, except Router2 also has the DSL interface to configure.

The DSL interface is configured with a username of “user1” and a password of “ospf_example”. The default gateway is retrieved from the ISP and the defaults are used for the rest of the PPPoE settings.

To configure Router2 interfaces - GUI:

Go to System > Settings.
In the Host name field, enter a hostname of Router2 and select Apply.
Go to Network > Interfaces, edit port1, set the following information, and select OK.

Alias	internal
IP/Network Mask	10.11.101.2/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Head office and Router1
Interface State	Enabled

Edit port2, set the following information and select OK.

Alias	External
IP/Network Mask	10.11.103.2/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Router3
Interface State	Enabled

Edit DSL (port3), set the following information and select OK.

Alias	DSL
Addressing mode	PPPoE
Username	user1
Password	ospf_example
Unnumbered IP	10.12.101.2/255.255.255.0
Retrieve default gateway from server	Enable
Administrative Access	HTTPS SSH PING
Description	DSL
Interface State	Enabled

Configuring Router3

Router3 is similar to Router1 and Router2 configurations. The main difference is the External (port3) interface connected to the ISP BGP network, which has no administration access enabled, for security reasons.

To configure Router3 interfaces - GUI:

Go to System > Settings.
In the Host name field, enter a hostname of Router3 and select Apply.
Go to Network > Interfaces, edit port1, set the following information, and select OK.

Alias	internal
IP/Network Mask	10.11.102.3/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Router1
Interface State	Enabled

Edit port2, set the following information and select OK.

Alias	Internal2
IP/Network Mask	10.11.103.3/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Router2
Interface State	Enabled

Edit port3, set the following information and select OK.

Alias	External
IP/Network Mask	172.20.120.3/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	ISP BGP
Interface State	Enabled

Configuring OSPF on the FortiGate devices

With the interfaces configured, now the FortiGate devices can be configured for OSPF on those interfaces. All routers are part of the backbone 0.0.0.0 area, so no inter‑area communications are needed.

For a simple configuration, there will be no authentication, no graceful restart or other advanced features, and timers will be left at their defaults. Also, the costs for all interfaces will be left at 10, except for the modem and ISP interfaces where cost will be used to load balance traffic. Nearly all advanced features of OSPF are only available from the CLI.

The network that's defined covers all the subnets used in this example - 10.11.101.0, 10.11.102.0, and 10.11.103.0. All routes for these subnets will be advertised. If there are other interfaces on the FortiGate devices that you don't want included in the OSPF routes, ensure those interfaces use a different subnet outside of the 10.11.0.0 network. If you want all interfaces to be advertised you can use an OSPF network of 0.0.0.0 .

Each router will configure:

Router ID
Area
Network
Two or three interfaces depending on the router
Priority for DR (Router1) and BDR (Router2)
Redistribute for ASBR (Router3)

Configuring OSPF on Router1

Router1 has a very high priority to ensure it becomes the DR for this area. Also Router1 has the lowest IP address to help ensure it will win in case there's a tie at some point. Otherwise, it's a standard OSPF configuration. Setting the priority can only be done in the CLI, and it's for a specific OSPF interface.

To configure OSPF on Router1 - GUI:

Go to Network > OSPF.
Set Router ID to 10.11.101.1 and select Apply.
In Areas, select Create New, set the following information, and select OK.

Area ID	0.0.0.0
Type	Regular
Authentication	None

In Networks, select Create New, set the following information, and select OK.

Area	0.0.0.0
IP/Netmask	10.11.0.0/255.255.0.0

In Interfaces, select Create New, set the following information, and select OK.

Name	Router1-Internal-DR
Interface	port1 (Internal)
IP	0.0.0.0
Authentication	None
Timers
Hello Interval	10
Dead Interval	40

In Interfaces, select Create New, set the following information, and select OK.

Name	Router1-External
Interface	port2 (External)
IP	0.0.0.0
Authentication	none
Timers
Hello Interval	10
Dead Interval	40

Using the CLI, enter the following commands to set the priority for the Router1‑Internal OSPF interface to maximum, ensuring this interface becomes the DR:

config router ospf

config ospf-interface

edit Router1-Internal-DR

set priority 255

end

To configure OSPF on Router1 - CLI:

config router ospf

set router-id 10.11.101.1

config area

edit 0.0.0.0

end

config network

edit 1

set prefix 10.11.0.0/255.255.255.0

end

config ospf-interface

edit "Router1-Internal"

set interface "port1"

set priority 255

edit "Router1-External"

set interface "port2"

end

Configuring OSPF on Router2

Router2 has a high priority to ensure it becomes the BDR for this area and configures the DSL interface slightly differently. Assume this will be a slower connection resulting in the need for longer timers and a higher cost for this route.

Otherwise, it is a standard OSPF configuration.

To configure OSPF on Router2 - GUI:

Go to Network > OSPF.
Set Router ID to 10.11.101.2 and select Apply.
In Areas, select Create New, set the following information, and select OK.

Area ID	0.0.0.0
Type	Regular
Authentication	None

In Networks, select Create New, set the following information, and select OK.

Area	0.0.0.0
IP/Netmask	10.11.0.0/255.255.0.0

In Interfaces, select Create New, set the following information, and select OK.

Name	Router2-Internal
Interface	port1 (Internal)
IP	0.0.0.0
Authentication	None
Timers
Hello Interval	10
Dead Interval

In Interfaces, select Create New, set the following information, and select OK.

Name	Router2-External
Interface	port2 (External)
IP	0.0.0.0
Authentication	none
Timers
Hello Interval	10
Dead Interval	40

In Interfaces, select Create New, set the following information, and select OK.

Name	Router2-DSL
Interface	port3 (DSL)
IP	0.0.0.0
Cost	50
Authentication	none
Timers
Hello Interval	20
Dead Interval	80

Using the CLI, enter the following commands to set the priority for the Router2‑Internal OSPF interface to ensure this interface will become the BDR:

config router ospf

config ospf-interface

edit Router2-Internal

set priority 250

end

To configure OSPF on Router2 - CLI:

config router ospf

set router-id 10.11.101.2

config area

edit 0.0.0.0

end

config network

edit 1

set prefix 10.11.0.0/255.255.0.0

end

config ospf-interface

edit "Router2-Internal"

set interface "port1"

set priority 255

edit "Router2-External"

set interface "port2"

edit "Router2-DSL"

set interface "port3"

set cost 50

end

Configuring OSPF on Router3

Router3 is more complex than the other two routers. The interfaces are straightforward, but this router has to import and export routes between OSPF and BGP. That requirement makes Router3 an ASBR. Also, Router3 needs a lower cost on its route to encourage all traffic to the Internet to route through it.

In the advanced OSPF options, redistribute is enabled for Router3. It allows different types of routes, learned outside of OSPF, to be used in OSPF. Different metrics are assigned to these other types of routes to make them more or less preferred to regular OSPF routes.

To configure OSPF on Router3 - GUI:

Go to Network > OSPF.
Set Router ID to 10.11.101.2 and select Apply.
Expand Advanced Options.
In Redistribute, set the following information, and select OK.

Route type	Redistribute	Metric
Connected	Enable	15
Static	Enable	15
RIP	Disable	n/a
BGP	Enable	5

In Areas, select Create New, set the following information, and select OK.

Area ID	0.0.0.0
Type	Regular
Authentication	None

In Networks, select Create New, set the following information, and select OK.

Area	0.0.0.0
IP/Netmask	10.11.0.0/255.255.0.0

In Interfaces, select Create New, set the following information, and select OK.

Name	Router3-Internal
Interface	port1 (Internal)
IP	0.0.0.0
Authentication	none
Timers
Hello Interval	10
Dead Interval	40

In Interfaces, select Create New, set the following information, and select OK.

Name	Router3-Internal2
Interface	port2 (Internal2)
IP	0.0.0.0
Authentication	none
Timers
Hello Interval	10
Dead Interval	40

In Interfaces, select Create New, set the following information, and select OK.

Name	Router3-ISP-BGP
Interface	port3 (ISP-BGP)
IP	0.0.0.0
Authentication	none
Cost	2
Timers
Hello Interval	20
Dead Interval	80

Using the CLI, enter the following commands to set the priority for the Router3‑Internal OSPF interface to ensure this interface will become the BDR:

config router ospf

config ospf-interface

edit Router3-Internal

set priority 250

end

To configure OSPF on Router3 - CLI:

config router ospf

set router-id 10.11.102.3

config area

edit 0.0.0.0

end

config network

edit 1

set prefix 10.11.0.0/255.255.255.0

edit 2

set prefix 172.20.120.0/255.255.255.0

end

config ospf-interface

edit "Router3-Internal"

set interface "port1"

set priority 255

edit "Router3-External"

set interface "port2"

edit "Router3-ISP-BGP"

set interface "port3"

set cost 2

end

Configuring other networking devices

The other networking devices required in this configuration are on the two ISP networks, the BGP network for the main Internet connection, and the DSL backup connection.

In both cases, the ISPs need to be notified about the OSPF network settings including router IP addresses, timer settings, and so on. The ISP will use this information to configure its routers that connect to this OSPF network.

Testing network configuration

Testing the network configuration involves two parts: testing the network connectivity and testing the OSPF routing.

To test the network connectivity, use ping, traceroute, and other network tools.

To test the OSPF routing in this example, refer to the troubleshooting outlined in Troubleshooting OSPF.