Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.5 Administration Guide
    6.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Assign a subnet with the FortiIPAM service

    Assign a subnet with the FortiIPAM service

    The FortiIPAM (IP Address Management) service automatically assigns subnets to FortiGate to prevent duplicate IP addresses from overlapping within the same Security Fabric.

    After the FortiIPAM registration is synced to FortiGuard from FortiCare, FortiGate can use FortiIPAM to automatically assign IP addresses based on the configured network size for the FortiGate interface.

    Requirements:

    Register the FortiIPAM service for FortiGate in FortiCare.

    Note

    FortiIPAM is a paid service.
    To verify the FortiIPAM service registration in the GUI:
    1. Go to System > FortiGuard to verify the FortiIPAM service is registered. If the service is registered, the FortiIPAM area at the bottom of the page displays a check mark as well as the license expiry date.

    Example

    In this example, you will configure port5 on FortiGate Root to be managed by FortiIPAM and specify the network size. Next you will enable DHCP on the interface to supply IP addresses to this network.

    Once FortiIPAM is designated as the IP source, you will configure the port5 interface on FortiGate Downstream to obtain an IP from DHCP to connect it to FortiGate Root and add it to the Security Fabric. Lastly, you will use FortiIPAM to assign IP addresses to the Internal Network.

    1. On FortiGate Root, edit port5 and configure the interface to be managed by FortiIPAM.
      1. Go to Network > Interfaces, and double-click port5 to edit it. The Edit Interface window opens.
      2. From the Role dropdown, select LAN.
      3. In the Addressing mode area, select Auto-managed by FortiIPAM. An information icon appears next to IP/Netmask and below the Network Size dropdown indicating FortiIPAM will allocate an IP subnet with the selected size.
      4. From the Network Size dropdown, select the size of the network segment for this interface.
      5. Enable DHCP Server to allow the interface to supply IP addresses to this network.

        You do not need to configure Address range and Netmask. These will be configured by FortiIPAM.

      6. Click OK. Port5 gets an IP address from FortiIPAM corresponding to the network size. It will also start assigning addresses through DHCP. Refresh this page if an IP has not been assigned.

    2. View the IP allocation map.
      1. Go to Network > Interfaces, and double-click port5 to view it.
      2. In the IP/Netmask area, click Show Global IP Allocation Map. You are redirected to FortiCloud.

      3. Click Login. The FortiIPAM portal opens. The List View displays the assigned IP entries.
      4. Double-click an IP entry and click the Source tab. The IP source appears in the Device column. The Interface column displays the port. Assign Type displays Auto. Last Updated displays the assign time.

    3. On FortiGate Root go to Network > Interfaces. The DHCP Server settings are configured automatically.
    4. On FortiGate Downstream, configure port5 to obtain an IP from DHCP.
      1. Go to System > FortiGuard, and verify FortiIPAM is licensed.
      2. Go to Network > Interfaces, and double click port5 to edit it.
      3. In the Addressing mode area, select DHCP and click OK. The interface will get its IP address from the DHCP server configured on FortiGate Root.
      4. In Network > Interfaces, double-click port5. The following fields appear in the Address area:
        • Status.
        • Obtained IP/Netmask
        • Expiry Date
        • Acquired DNS

    5. Add FortiGate Downstream to the Security Fabric.
      1. Go to Security Fabric > Fabric Connectors. In the Security Fabric Settings area, set Status to Enabled.
      2. In the Upstream FortiGate IP field, enter the IP address for FortiGate Root, and click OK. The Topology pane shows the connection is established.

    6. On FortiGate Downstream, configure port6 to use FortiIPAM.
      1. Go to Network > Interfaces. Double-click port6 to edit it.
      2. From the Role dropdown, select LAN.
      3. In the Address mode area, select Auto-managed by FortiIPAM.
      4. From the Network size dropdown, select a different network size. In this example, the network size was increased to 512.

      5. Wait a while and then double-click port6. The IP/Netmask is auto-populated.
      6. Enable DHCP Server to allow the interface to supply IP addresses to this network.
    7. Go back to the FortiIPAM portal in FortiCloud.
      1. The List View tab shows the IP addresses for the downstream FortiGates.
      2. Select a subnet, and click the Source tab. The source details show that the IP is different from the root FortiGate, preventing conflicts.

    To view the FortiIPAM service details in the CLI:

    Use the diagnose command to view the FortiIPAM service information in FortiGate.

    Root-E (global) # diagnose test update info

    ...

    System contracts:

    ...

    IPMC,Thu Apr 15 17:00:00 2021

    Tooltip

    You can also use the REST API to get the FortiIPAM service information.

    https://172.16.116.xxx/api/v2/monitor/license/status

    ..."fortiipam_cloud":{

    "type":"live_cloud_service",

    "status":"licensed",

    "expires":1618531200,

    "entitlement":"IPMC"

    }
    To configure FortiIPAM in the CLI:
    1. On FortiGate Root , edit port5 and configure the interface to be managed by FortiIPAM. Use managed-subnetwork-size to specify the network size of the network segment for this interface.

      In this example, the network size 256.

      config system interface

      edit "port5"

      set ip-managed-by-fortiipam enable

      set managed-subnetwork-size 256

      next

      end

    2. On the same interface, enable DHCP server on this interface to supply IP addresses to this network.
      Note

      No configuration is required unless you need to change the defaults.

      config system dhcp server

      edit 1

      set interface "port5"

      set dhcp-settings-from-fortiipam enable

      next

      end

    3. Once FortiIPAM completes the address configuration, the configurations will appear as follows:

      show system interface

      ...

      edit "port5"

      set vdom "root"

      set ip 10.128.6.1 255.255.255.0

      set allowaccess ping https ssh http fabric

      set type physical

      set device-identification enable

      set lldp-transmission enable

      set role lan

      set snmp-index 5

      set ip-managed-by-fortiipam enable

      next

      ...

      end

      show system dhcp server

      edit 1

      set dns-service default

      set default-gateway 10.128.6.1

      set netmask 255.255.255.0

      set interface "port5"

      config ip-range

      edit 1

      set start-ip 10.128.6.1

      set end-ip 10.128.6.254

      next

      end

      set dhcp-settings-from-fortiipam enable

      config exclude-range

      edit 1

      set start-ip 10.128.6.1

      set end-ip 10.128.6.1

      next

      end

      next

      end

    4. On FortiGate Downstream, configure port5 to obtain an IP from DHCP.

      config system interface

      edit "port5"

      set mode dhcp

      next

      end

    5. After the IP is assigned and the device is connected to FortiGate Root , add FortiGate Downstream to the Security Fabric.
    6. Once FortiGate Downstream is connected to the Security Fabric, you can configure the port6 interface to use the FortiIPAM service as well.
    7. On FortiGate Downstream , set the interface to be managed by the FortiIPAM service, and increase the managed-subnetwork-size value.

      In this example, the network size was increased to 512.

      config system interface

      edit "port5"

      set ip-managed-by-fortiipam enable

      set managed-subnetwork-size 512

      next

      end

    8. Configure the DHCP server on this port to assign IP addresses to this subnet.

      config system dhcp server

      edit 1

      set interface "port6"

      set dhcp-settings-from-fortiipam enable

      next

      end

    9. Go to the FortiIPAM Portal to view the IP addresses.

    Previous
    Next

    Related Videos

    sidebar video

    Assign a Subnet to FortiGate with the FortiPAM Service

    • 3,180 views
    • 4 years ago

    Assign a subnet with the FortiIPAM service

    Assign a subnet with the FortiIPAM service

    The FortiIPAM (IP Address Management) service automatically assigns subnets to FortiGate to prevent duplicate IP addresses from overlapping within the same Security Fabric.

    After the FortiIPAM registration is synced to FortiGuard from FortiCare, FortiGate can use FortiIPAM to automatically assign IP addresses based on the configured network size for the FortiGate interface.

    Requirements:

    Register the FortiIPAM service for FortiGate in FortiCare.

    Note

    FortiIPAM is a paid service.
    To verify the FortiIPAM service registration in the GUI:
    1. Go to System > FortiGuard to verify the FortiIPAM service is registered. If the service is registered, the FortiIPAM area at the bottom of the page displays a check mark as well as the license expiry date.

    Example

    In this example, you will configure port5 on FortiGate Root to be managed by FortiIPAM and specify the network size. Next you will enable DHCP on the interface to supply IP addresses to this network.

    Once FortiIPAM is designated as the IP source, you will configure the port5 interface on FortiGate Downstream to obtain an IP from DHCP to connect it to FortiGate Root and add it to the Security Fabric. Lastly, you will use FortiIPAM to assign IP addresses to the Internal Network.

    1. On FortiGate Root, edit port5 and configure the interface to be managed by FortiIPAM.
      1. Go to Network > Interfaces, and double-click port5 to edit it. The Edit Interface window opens.
      2. From the Role dropdown, select LAN.
      3. In the Addressing mode area, select Auto-managed by FortiIPAM. An information icon appears next to IP/Netmask and below the Network Size dropdown indicating FortiIPAM will allocate an IP subnet with the selected size.
      4. From the Network Size dropdown, select the size of the network segment for this interface.
      5. Enable DHCP Server to allow the interface to supply IP addresses to this network.

        You do not need to configure Address range and Netmask. These will be configured by FortiIPAM.

      6. Click OK. Port5 gets an IP address from FortiIPAM corresponding to the network size. It will also start assigning addresses through DHCP. Refresh this page if an IP has not been assigned.

    2. View the IP allocation map.
      1. Go to Network > Interfaces, and double-click port5 to view it.
      2. In the IP/Netmask area, click Show Global IP Allocation Map. You are redirected to FortiCloud.

      3. Click Login. The FortiIPAM portal opens. The List View displays the assigned IP entries.
      4. Double-click an IP entry and click the Source tab. The IP source appears in the Device column. The Interface column displays the port. Assign Type displays Auto. Last Updated displays the assign time.

    3. On FortiGate Root go to Network > Interfaces. The DHCP Server settings are configured automatically.
    4. On FortiGate Downstream, configure port5 to obtain an IP from DHCP.
      1. Go to System > FortiGuard, and verify FortiIPAM is licensed.
      2. Go to Network > Interfaces, and double click port5 to edit it.
      3. In the Addressing mode area, select DHCP and click OK. The interface will get its IP address from the DHCP server configured on FortiGate Root.
      4. In Network > Interfaces, double-click port5. The following fields appear in the Address area:
        • Status.
        • Obtained IP/Netmask
        • Expiry Date
        • Acquired DNS

    5. Add FortiGate Downstream to the Security Fabric.
      1. Go to Security Fabric > Fabric Connectors. In the Security Fabric Settings area, set Status to Enabled.
      2. In the Upstream FortiGate IP field, enter the IP address for FortiGate Root, and click OK. The Topology pane shows the connection is established.

    6. On FortiGate Downstream, configure port6 to use FortiIPAM.
      1. Go to Network > Interfaces. Double-click port6 to edit it.
      2. From the Role dropdown, select LAN.
      3. In the Address mode area, select Auto-managed by FortiIPAM.
      4. From the Network size dropdown, select a different network size. In this example, the network size was increased to 512.

      5. Wait a while and then double-click port6. The IP/Netmask is auto-populated.
      6. Enable DHCP Server to allow the interface to supply IP addresses to this network.
    7. Go back to the FortiIPAM portal in FortiCloud.
      1. The List View tab shows the IP addresses for the downstream FortiGates.
      2. Select a subnet, and click the Source tab. The source details show that the IP is different from the root FortiGate, preventing conflicts.

    To view the FortiIPAM service details in the CLI:

    Use the diagnose command to view the FortiIPAM service information in FortiGate.

    Root-E (global) # diagnose test update info

    ...

    System contracts:

    ...

    IPMC,Thu Apr 15 17:00:00 2021

    Tooltip

    You can also use the REST API to get the FortiIPAM service information.

    https://172.16.116.xxx/api/v2/monitor/license/status

    ..."fortiipam_cloud":{

    "type":"live_cloud_service",

    "status":"licensed",

    "expires":1618531200,

    "entitlement":"IPMC"

    }
    To configure FortiIPAM in the CLI:
    1. On FortiGate Root , edit port5 and configure the interface to be managed by FortiIPAM. Use managed-subnetwork-size to specify the network size of the network segment for this interface.

      In this example, the network size 256.

      config system interface

      edit "port5"

      set ip-managed-by-fortiipam enable

      set managed-subnetwork-size 256

      next

      end

    2. On the same interface, enable DHCP server on this interface to supply IP addresses to this network.
      Note

      No configuration is required unless you need to change the defaults.

      config system dhcp server

      edit 1

      set interface "port5"

      set dhcp-settings-from-fortiipam enable

      next

      end

    3. Once FortiIPAM completes the address configuration, the configurations will appear as follows:

      show system interface

      ...

      edit "port5"

      set vdom "root"

      set ip 10.128.6.1 255.255.255.0

      set allowaccess ping https ssh http fabric

      set type physical

      set device-identification enable

      set lldp-transmission enable

      set role lan

      set snmp-index 5

      set ip-managed-by-fortiipam enable

      next

      ...

      end

      show system dhcp server

      edit 1

      set dns-service default

      set default-gateway 10.128.6.1

      set netmask 255.255.255.0

      set interface "port5"

      config ip-range

      edit 1

      set start-ip 10.128.6.1

      set end-ip 10.128.6.254

      next

      end

      set dhcp-settings-from-fortiipam enable

      config exclude-range

      edit 1

      set start-ip 10.128.6.1

      set end-ip 10.128.6.1

      next

      end

      next

      end

    4. On FortiGate Downstream, configure port5 to obtain an IP from DHCP.

      config system interface

      edit "port5"

      set mode dhcp

      next

      end

    5. After the IP is assigned and the device is connected to FortiGate Root , add FortiGate Downstream to the Security Fabric.
    6. Once FortiGate Downstream is connected to the Security Fabric, you can configure the port6 interface to use the FortiIPAM service as well.
    7. On FortiGate Downstream , set the interface to be managed by the FortiIPAM service, and increase the managed-subnetwork-size value.

      In this example, the network size was increased to 512.

      config system interface

      edit "port5"

      set ip-managed-by-fortiipam enable

      set managed-subnetwork-size 512

      next

      end

    8. Configure the DHCP server on this port to assign IP addresses to this subnet.

      config system dhcp server

      edit 1

      set interface "port6"

      set dhcp-settings-from-fortiipam enable

      next

      end

    9. Go to the FortiIPAM Portal to view the IP addresses.

    Previous
    Next