Fortinet black logo

Administration Guide

Assign a subnet with the FortiIPAM service

Assign a subnet with the FortiIPAM service

The FortiIPAM (IP Address Management) service automatically assigns subnets to FortiGate to prevent duplicate IP addresses from overlapping within the same Security Fabric.

After the FortiIPAM registration is synced to FortiGuard from FortiCare, FortiGate can use FortiIPAM to automatically assign IP addresses based on the configured network size for the FortiGate interface.

Requirements:

Register the FortiIPAM service for FortiGate in FortiCare.

Note

FortiIPAM is a paid service.

To verify the FortiIPAM service registration in the GUI:
  1. Go to System > FortiGuard to verify the FortiIPAM service is registered. If the service is registered, the FortiIPAM area at the bottom of the page displays a check mark as well as the license expiry date.

Example

In this example, you will configure port5 on FortiGate Root to be managed by FortiIPAM and specify the network size. Next you will enable DHCP on the interface to supply IP addresses to this network.

Once FortiIPAM is designated as the IP source, you will configure the port5 interface on FortiGate Downstream to obtain an IP from DHCP to connect it to FortiGate Root and add it to the Security Fabric. Lastly, you will use FortiIPAM to assign IP addresses to the Internal Network.

  1. On FortiGate Root, edit port5 and configure the interface to be managed by FortiIPAM.
    1. Go to Network > Interfaces, and double-click port5 to edit it. The Edit Interface window opens.
    2. From the Role dropdown, select LAN.
    3. In the Addressing mode area, select Auto-managed by FortiIPAM. An information icon appears next to IP/Netmask and below the Network Size dropdown indicating FortiIPAM will allocate an IP subnet with the selected size.
    4. From the Network Size dropdown, select the size of the network segment for this interface.
    5. Enable DHCP Server to allow the interface to supply IP addresses to this network.

      You do not need to configure Address range and Netmask. These will be configured by FortiIPAM.

    6. Click OK. Port5 gets an IP address from FortiIPAM corresponding to the network size. It will also start assigning addresses through DHCP. Refresh this page if an IP has not been assigned.

  2. View the IP allocation map.
    1. Go to Network > Interfaces, and double-click port5 to view it.
    2. In the IP/Netmask area, click Show Global IP Allocation Map. You are redirected to FortiCloud.

    3. Click Login. The FortiIPAM portal opens. The List View displays the assigned IP entries.
    4. Double-click an IP entry and click the Source tab. The IP source appears in the Device column. The Interface column displays the port. Assign Type displays Auto. Last Updated displays the assign time.

  3. On FortiGate Root go to Network > Interfaces. The DHCP Server settings are configured automatically.
  4. On FortiGate Downstream, configure port5 to obtain an IP from DHCP.
    1. Go to System > FortiGuard, and verify FortiIPAM is licensed.
    2. Go to Network > Interfaces, and double click port5 to edit it.
    3. In the Addressing mode area, select DHCP and click OK. The interface will get its IP address from the DHCP server configured on FortiGate Root.
    4. In Network > Interfaces, double-click port5. The following fields appear in the Address area:
      • Status.
      • Obtained IP/Netmask
      • Expiry Date
      • Acquired DNS

  5. Add FortiGate Downstream to the Security Fabric.
    1. Go to Security Fabric > Fabric Connectors. In the Security Fabric Settings area, set Status to Enabled.
    2. In the Upstream FortiGate IP field, enter the IP address for FortiGate Root, and click OK. The Topology pane shows the connection is established.

  6. On FortiGate Downstream, configure port6 to use FortiIPAM.
    1. Go to Network > Interfaces. Double-click port6 to edit it.
    2. From the Role dropdown, select LAN.
    3. In the Address mode area, select Auto-managed by FortiIPAM.
    4. From the Network size dropdown, select a different network size. In this example, the network size was increased to 512.

    5. Wait a while and then double-click port6. The IP/Netmask is auto-populated.
    6. Enable DHCP Server to allow the interface to supply IP addresses to this network.
  7. Go back to the FortiIPAM portal in FortiCloud.
    1. The List View tab shows the IP addresses for the downstream FortiGates.
    2. Select a subnet, and click the Source tab. The source details show that the IP is different from the root FortiGate, preventing conflicts.

To view the FortiIPAM service details in the CLI:

Use the diagnose command to view the FortiIPAM service information in FortiGate.

Root-E (global) # diagnose test update info

...

System contracts:

...

IPMC,Thu Apr 15 17:00:00 2021

Tooltip

You can also use the REST API to get the FortiIPAM service information.

https://172.16.116.xxx/api/v2/monitor/license/status

..."fortiipam_cloud":{

"type":"live_cloud_service",

"status":"licensed",

"expires":1618531200,

"entitlement":"IPMC"

}

To configure FortiIPAM in the CLI:
  1. On FortiGate Root , edit port5 and configure the interface to be managed by FortiIPAM. Use managed-subnetwork-size to specify the network size of the network segment for this interface.

    In this example, the network size 256.

    config system interface

    edit "port5"

    set ip-managed-by-fortiipam enable

    set managed-subnetwork-size 256

    next

    end

  2. On the same interface, enable DHCP server on this interface to supply IP addresses to this network.
    Note

    No configuration is required unless you need to change the defaults.

    config system dhcp server

    edit 1

    set interface "port5"

    set dhcp-settings-from-fortiipam enable

    next

    end

  3. Once FortiIPAM completes the address configuration, the configurations will appear as follows:

    show system interface

    ...

    edit "port5"

    set vdom "root"

    set ip 10.128.6.1 255.255.255.0

    set allowaccess ping https ssh http fabric

    set type physical

    set device-identification enable

    set lldp-transmission enable

    set role lan

    set snmp-index 5

    set ip-managed-by-fortiipam enable

    next

    ...

    end

    show system dhcp server

    edit 1

    set dns-service default

    set default-gateway 10.128.6.1

    set netmask 255.255.255.0

    set interface "port5"

    config ip-range

    edit 1

    set start-ip 10.128.6.1

    set end-ip 10.128.6.254

    next

    end

    set dhcp-settings-from-fortiipam enable

    config exclude-range

    edit 1

    set start-ip 10.128.6.1

    set end-ip 10.128.6.1

    next

    end

    next

    end

  4. On FortiGate Downstream, configure port5 to obtain an IP from DHCP.

    config system interface

    edit "port5"

    set mode dhcp

    next

    end

  5. After the IP is assigned and the device is connected to FortiGate Root , add FortiGate Downstream to the Security Fabric.
  6. Once FortiGate Downstream is connected to the Security Fabric, you can configure the port6 interface to use the FortiIPAM service as well.
  7. On FortiGate Downstream , set the interface to be managed by the FortiIPAM service, and increase the managed-subnetwork-size value.

    In this example, the network size was increased to 512.

    config system interface

    edit "port5"

    set ip-managed-by-fortiipam enable

    set managed-subnetwork-size 512

    next

    end

  8. Configure the DHCP server on this port to assign IP addresses to this subnet.

    config system dhcp server

    edit 1

    set interface "port6"

    set dhcp-settings-from-fortiipam enable

    next

    end

  9. Go to the FortiIPAM Portal to view the IP addresses.

Assign a subnet with the FortiIPAM service

The FortiIPAM (IP Address Management) service automatically assigns subnets to FortiGate to prevent duplicate IP addresses from overlapping within the same Security Fabric.

After the FortiIPAM registration is synced to FortiGuard from FortiCare, FortiGate can use FortiIPAM to automatically assign IP addresses based on the configured network size for the FortiGate interface.

Requirements:

Register the FortiIPAM service for FortiGate in FortiCare.

Note

FortiIPAM is a paid service.

To verify the FortiIPAM service registration in the GUI:
  1. Go to System > FortiGuard to verify the FortiIPAM service is registered. If the service is registered, the FortiIPAM area at the bottom of the page displays a check mark as well as the license expiry date.

Example

In this example, you will configure port5 on FortiGate Root to be managed by FortiIPAM and specify the network size. Next you will enable DHCP on the interface to supply IP addresses to this network.

Once FortiIPAM is designated as the IP source, you will configure the port5 interface on FortiGate Downstream to obtain an IP from DHCP to connect it to FortiGate Root and add it to the Security Fabric. Lastly, you will use FortiIPAM to assign IP addresses to the Internal Network.

  1. On FortiGate Root, edit port5 and configure the interface to be managed by FortiIPAM.
    1. Go to Network > Interfaces, and double-click port5 to edit it. The Edit Interface window opens.
    2. From the Role dropdown, select LAN.
    3. In the Addressing mode area, select Auto-managed by FortiIPAM. An information icon appears next to IP/Netmask and below the Network Size dropdown indicating FortiIPAM will allocate an IP subnet with the selected size.
    4. From the Network Size dropdown, select the size of the network segment for this interface.
    5. Enable DHCP Server to allow the interface to supply IP addresses to this network.

      You do not need to configure Address range and Netmask. These will be configured by FortiIPAM.

    6. Click OK. Port5 gets an IP address from FortiIPAM corresponding to the network size. It will also start assigning addresses through DHCP. Refresh this page if an IP has not been assigned.

  2. View the IP allocation map.
    1. Go to Network > Interfaces, and double-click port5 to view it.
    2. In the IP/Netmask area, click Show Global IP Allocation Map. You are redirected to FortiCloud.

    3. Click Login. The FortiIPAM portal opens. The List View displays the assigned IP entries.
    4. Double-click an IP entry and click the Source tab. The IP source appears in the Device column. The Interface column displays the port. Assign Type displays Auto. Last Updated displays the assign time.

  3. On FortiGate Root go to Network > Interfaces. The DHCP Server settings are configured automatically.
  4. On FortiGate Downstream, configure port5 to obtain an IP from DHCP.
    1. Go to System > FortiGuard, and verify FortiIPAM is licensed.
    2. Go to Network > Interfaces, and double click port5 to edit it.
    3. In the Addressing mode area, select DHCP and click OK. The interface will get its IP address from the DHCP server configured on FortiGate Root.
    4. In Network > Interfaces, double-click port5. The following fields appear in the Address area:
      • Status.
      • Obtained IP/Netmask
      • Expiry Date
      • Acquired DNS

  5. Add FortiGate Downstream to the Security Fabric.
    1. Go to Security Fabric > Fabric Connectors. In the Security Fabric Settings area, set Status to Enabled.
    2. In the Upstream FortiGate IP field, enter the IP address for FortiGate Root, and click OK. The Topology pane shows the connection is established.

  6. On FortiGate Downstream, configure port6 to use FortiIPAM.
    1. Go to Network > Interfaces. Double-click port6 to edit it.
    2. From the Role dropdown, select LAN.
    3. In the Address mode area, select Auto-managed by FortiIPAM.
    4. From the Network size dropdown, select a different network size. In this example, the network size was increased to 512.

    5. Wait a while and then double-click port6. The IP/Netmask is auto-populated.
    6. Enable DHCP Server to allow the interface to supply IP addresses to this network.
  7. Go back to the FortiIPAM portal in FortiCloud.
    1. The List View tab shows the IP addresses for the downstream FortiGates.
    2. Select a subnet, and click the Source tab. The source details show that the IP is different from the root FortiGate, preventing conflicts.

To view the FortiIPAM service details in the CLI:

Use the diagnose command to view the FortiIPAM service information in FortiGate.

Root-E (global) # diagnose test update info

...

System contracts:

...

IPMC,Thu Apr 15 17:00:00 2021

Tooltip

You can also use the REST API to get the FortiIPAM service information.

https://172.16.116.xxx/api/v2/monitor/license/status

..."fortiipam_cloud":{

"type":"live_cloud_service",

"status":"licensed",

"expires":1618531200,

"entitlement":"IPMC"

}

To configure FortiIPAM in the CLI:
  1. On FortiGate Root , edit port5 and configure the interface to be managed by FortiIPAM. Use managed-subnetwork-size to specify the network size of the network segment for this interface.

    In this example, the network size 256.

    config system interface

    edit "port5"

    set ip-managed-by-fortiipam enable

    set managed-subnetwork-size 256

    next

    end

  2. On the same interface, enable DHCP server on this interface to supply IP addresses to this network.
    Note

    No configuration is required unless you need to change the defaults.

    config system dhcp server

    edit 1

    set interface "port5"

    set dhcp-settings-from-fortiipam enable

    next

    end

  3. Once FortiIPAM completes the address configuration, the configurations will appear as follows:

    show system interface

    ...

    edit "port5"

    set vdom "root"

    set ip 10.128.6.1 255.255.255.0

    set allowaccess ping https ssh http fabric

    set type physical

    set device-identification enable

    set lldp-transmission enable

    set role lan

    set snmp-index 5

    set ip-managed-by-fortiipam enable

    next

    ...

    end

    show system dhcp server

    edit 1

    set dns-service default

    set default-gateway 10.128.6.1

    set netmask 255.255.255.0

    set interface "port5"

    config ip-range

    edit 1

    set start-ip 10.128.6.1

    set end-ip 10.128.6.254

    next

    end

    set dhcp-settings-from-fortiipam enable

    config exclude-range

    edit 1

    set start-ip 10.128.6.1

    set end-ip 10.128.6.1

    next

    end

    next

    end

  4. On FortiGate Downstream, configure port5 to obtain an IP from DHCP.

    config system interface

    edit "port5"

    set mode dhcp

    next

    end

  5. After the IP is assigned and the device is connected to FortiGate Root , add FortiGate Downstream to the Security Fabric.
  6. Once FortiGate Downstream is connected to the Security Fabric, you can configure the port6 interface to use the FortiIPAM service as well.
  7. On FortiGate Downstream , set the interface to be managed by the FortiIPAM service, and increase the managed-subnetwork-size value.

    In this example, the network size was increased to 512.

    config system interface

    edit "port5"

    set ip-managed-by-fortiipam enable

    set managed-subnetwork-size 512

    next

    end

  8. Configure the DHCP server on this port to assign IP addresses to this subnet.

    config system dhcp server

    edit 1

    set interface "port6"

    set dhcp-settings-from-fortiipam enable

    next

    end

  9. Go to the FortiIPAM Portal to view the IP addresses.