Assign a subnet with the FortiIPAM service
The FortiIPAM (IP Address Management) service automatically assigns subnets to FortiGate to prevent duplicate IP addresses from overlapping within the same Security Fabric.
After the FortiIPAM registration is synced to FortiGuard from FortiCare, FortiGate can use FortiIPAM to automatically assign IP addresses based on the configured network size for the FortiGate interface.
FortiIPAM is a paid service, and must be registered to the FortiGate in FortiCare. |
To verify the FortiIPAM service registration:
- Go to System > FortiGuard.
- Find the FortiIPAM row and confirm that the FortiIPAM service is registered.
Example
In this example, port5 on the root FortiGate is configured to be managed by FortiIPAM, with DHCP to supply IP address to the network. The downstream FortiGate gets its IP address from the DHCP, and then uses FortiIPAM to assign IP addresses to the internal network.
To configure the interface on the root FortiGate in the GUI:
-
Go to Network > Interfaces and edit port5.
-
Set Role to LAN.
-
Set Addressing mode to Auto-managed by FortiIPAM.
-
Set Network size as needed.
-
Enable DHCP Server. The DHCP settings will be configured by FortiIPAM.
-
Click OK.
To view the IP allocation map in the GUI:
-
Go to Network > Interfaces and edit port5.
The interface should have received an IP address from FortiIPAM.
-
Click Show Global IP Allocation Map. FortiCloud opens in your default browser.
-
Click Login and log in to FortiCloud.
-
In the FortiIPAM portal, click on the root FortiGate's subnet then select the SOURCE tab.
The columns show the device serial number, the interface, how the interface is assigned, and when it was last updated.
To configure DHCP on the downstream FortiGate in the GUI:
-
Go to System > FortiGuard and verify FortiIPAM is licensed.
-
Go to Network > Interfaces and edit port5.
-
Set Addressing mode to DHCP.
-
Click OK.
-
Edit port5 again, and confirm that it received an IP address from the DHCP server configured on the root FortiGate.
To add the downstream FortiGate to the Security Fabric in the GUI:
-
Go to Security Fabric > Fabric Connectors and edit Security Fabric Setup.
-
Set Status to Enabled.
-
Set Security Fabric role to Join Existing Fabric.
-
Enter the FortiGate Root IP address as the Upstream FortiGate IP.
-
Click OK.
To configure the interface that connects to the internal network to use FortiIPAM on the downstream FortiGate in the GUI:
-
Go to Network > Interfaces and edit port6.
-
Set Role to LAN.
-
Set Addressing mode to Auto-managed by FortiIPAM.
-
Set Network size as needed.
-
Enable DHCP Server. The DHCP settings will be configured by FortiIPAM.
-
Click OK.
To view the IP allocation map in the GUI:
-
Go to Network > Interfaces and edit port6.
-
The interface should have received an IP address from FortiIPAM.
-
Click Show Global IP Allocation Map. FortiCloud opens in your default browser.
-
Click Loginand log in to FortiCloud.
-
In the FortiIPAM portal, click on a subnet and confirm that the IP address is different than the root FortiGate's IP address.
To configure FortiIPAM in the CLI:
-
Verify the FortiIPAM service registration:
# diagnose test update info ... System contracts: ... IPMC,Mon Jun 6 17:00:00 2022 ...
-
Configure the interface on the root FortiGate:
config system interface edit "port5" set vdom "root" set ip-managed-by-fortiipam enable set managed-subnetwork-size 256 next end
config system dhcp server edit 1 set interface "port5" set dhcp-settings-from-fortiipam enable next end
-
View the IP address and DHCP information from the FortiIPAM:
# show system interface config system interface edit "port5" set vdom "root" set ip 10.128.1.1 255.255.255.0 set type physical set device-identification enable set lldp-transmission enable set role lan set snmp-index 4 set ip-managed-by-fortiipam enable next end
# show system dhcp server config system dhcp server edit 1 set dns-service default set default-gateway 10.128.0.1 set netmask 255.255.255.0 set interface "port5" config ip-range edit 1 set start-ip 10.128.0.1 set end-ip 10.128.0.254 next end set dhcp-settings-from-fortiipam enable config exclude-range edit 1 set start-ip 10.128.0.1 set end-ip 10.128.0.1 next end next end
-
Configure DHCP on the downstream FortiGate:
config system interface edit "port5" set mode dhcp next end
-
Add the downstream FortiGate to the Security Fabric
config system csf set status enable set upstream-ip 10.128.0.1 end
-
On the downstream FortiGate, configure the interface that connects to the internal network to use FortiIPAM:
config system interface edit "port6" set ip-managed-by-fortiipam enable set managed-subnetwork-size 512 next end
config system dhcp server edit 1 set interface "port6" set dhcp-settings-from-fortiipam enable next end
You can also use the REST API to view the FortiIPAM service information: https://172.16.116.xxx/api/v2/monitor/license/status ..."fortiipam_cloud":{ "type":"live_cloud_service", "status":"licensed", "expires":1618531200, "entitlement":"IPMC" } |