Fortinet black logo

Administration Guide

Assign a subnet with the FortiIPAM service

Assign a subnet with the FortiIPAM service

The FortiIPAM (IP Address Management) service automatically assigns subnets to FortiGate to prevent duplicate IP addresses from overlapping within the same Security Fabric.

After the FortiIPAM registration is synced to FortiGuard from FortiCare, FortiGate can use FortiIPAM to automatically assign IP addresses based on the configured network size for the FortiGate interface.

Note

FortiIPAM is a paid service, and must be registered to the FortiGate in FortiCare.

To verify the FortiIPAM service registration:
  1. Go to System > FortiGuard.
  2. Find the FortiIPAM row and confirm that the FortiIPAM service is registered.

Example

In this example, port5 on the root FortiGate is configured to be managed by FortiIPAM, with DHCP to supply IP address to the network. The downstream FortiGate gets its IP address from the DHCP, and then uses FortiIPAM to assign IP addresses to the internal network.

To configure the interface on the root FortiGate in the GUI:
  1. Go to Network > Interfaces and edit port5.

  2. Set Role to LAN.

  3. Set Addressing mode to Auto-managed by FortiIPAM.

  4. Set Network size as needed.

  5. Enable DHCP Server. The DHCP settings will be configured by FortiIPAM.

  6. Click OK.

To view the IP allocation map in the GUI:
  1. Go to Network > Interfaces and edit port5.

    The interface should have received an IP address from FortiIPAM.

  2. Click Show Global IP Allocation Map. FortiCloud opens in your default browser.

  3. Click Login and log in to FortiCloud.

  4. In the FortiIPAM portal, click on the root FortiGate's subnet then select the SOURCE tab.

    The columns show the device serial number, the interface, how the interface is assigned, and when it was last updated.

To configure DHCP on the downstream FortiGate in the GUI:
  1. Go to System > FortiGuard and verify FortiIPAM is licensed.

  2. Go to Network > Interfaces and edit port5.

  3. Set Addressing mode to DHCP.

  4. Click OK.

  5. Edit port5 again, and confirm that it received an IP address from the DHCP server configured on the root FortiGate.

To add the downstream FortiGate to the Security Fabric in the GUI:
  1. Go to Security Fabric > Fabric Connectors and edit Security Fabric Setup.

  2. Set Status to Enabled.

  3. Set Security Fabric role to Join Existing Fabric.

  4. Enter the FortiGate Root IP address as the Upstream FortiGate IP.

  5. Click OK.

To configure the interface that connects to the internal network to use FortiIPAM on the downstream FortiGate in the GUI:
  1. Go to Network > Interfaces and edit port6.

  2. Set Role to LAN.

  3. Set Addressing mode to Auto-managed by FortiIPAM.

  4. Set Network size as needed.

  5. Enable DHCP Server. The DHCP settings will be configured by FortiIPAM.

  6. Click OK.

To view the IP allocation map in the GUI:
  1. Go to Network > Interfaces and edit port6.

  2. The interface should have received an IP address from FortiIPAM.

  3. Click Show Global IP Allocation Map. FortiCloud opens in your default browser.

  4. Click Loginand log in to FortiCloud.

  5. In the FortiIPAM portal, click on a subnet and confirm that the IP address is different than the root FortiGate's IP address.

To configure FortiIPAM in the CLI:
  1. Verify the FortiIPAM service registration:

    # diagnose test update info
    ...
    System contracts:
    ...
        IPMC,Mon Jun  6 17:00:00 2022
    ...
  2. Configure the interface on the root FortiGate:

    config system interface
        edit "port5"
            set vdom "root"
            set ip-managed-by-fortiipam enable
            set managed-subnetwork-size 256
        next
    end
    config system dhcp server
        edit 1
            set interface "port5"
            set dhcp-settings-from-fortiipam enable
        next
    end
  3. View the IP address and DHCP information from the FortiIPAM:

    # show system interface
    config system interface
        edit "port5"
            set vdom "root"
            set ip 10.128.1.1 255.255.255.0
            set type physical
            set device-identification enable
            set lldp-transmission enable
            set role lan
            set snmp-index 4
            set ip-managed-by-fortiipam enable
        next
    end
    # show system dhcp server
    config system dhcp server
        edit 1
            set dns-service default
            set default-gateway 10.128.0.1
            set netmask 255.255.255.0
            set interface "port5"
            config ip-range
                edit 1
                    set start-ip 10.128.0.1
                    set end-ip 10.128.0.254
                next
            end
            set dhcp-settings-from-fortiipam enable
            config exclude-range
                edit 1
                    set start-ip 10.128.0.1
                    set end-ip 10.128.0.1
                next
            end
        next
    end
  4. Configure DHCP on the downstream FortiGate:

    config system interface
        edit "port5"
            set mode dhcp
        next
    end
  5. Add the downstream FortiGate to the Security Fabric

    config system csf
        set status enable
        set upstream-ip 10.128.0.1
    end
  6. On the downstream FortiGate, configure the interface that connects to the internal network to use FortiIPAM:

    config system interface
        edit "port6"
            set ip-managed-by-fortiipam enable
            set managed-subnetwork-size 512
        next
    end
    config system dhcp server
        edit 1
            set interface "port6"
            set dhcp-settings-from-fortiipam enable
        next
    end
Tooltip

You can also use the REST API to view the FortiIPAM service information:

https://172.16.116.xxx/api/v2/monitor/license/status
..."fortiipam_cloud":{
    "type":"live_cloud_service",
    "status":"licensed",
    "expires":1618531200,
    "entitlement":"IPMC"
}

Related Videos

sidebar video

Assign a Subnet to FortiGate with the FortiPAM Service

  • 3,011 views
  • 3 years ago

Assign a subnet with the FortiIPAM service

The FortiIPAM (IP Address Management) service automatically assigns subnets to FortiGate to prevent duplicate IP addresses from overlapping within the same Security Fabric.

After the FortiIPAM registration is synced to FortiGuard from FortiCare, FortiGate can use FortiIPAM to automatically assign IP addresses based on the configured network size for the FortiGate interface.

Note

FortiIPAM is a paid service, and must be registered to the FortiGate in FortiCare.

To verify the FortiIPAM service registration:
  1. Go to System > FortiGuard.
  2. Find the FortiIPAM row and confirm that the FortiIPAM service is registered.

Example

In this example, port5 on the root FortiGate is configured to be managed by FortiIPAM, with DHCP to supply IP address to the network. The downstream FortiGate gets its IP address from the DHCP, and then uses FortiIPAM to assign IP addresses to the internal network.

To configure the interface on the root FortiGate in the GUI:
  1. Go to Network > Interfaces and edit port5.

  2. Set Role to LAN.

  3. Set Addressing mode to Auto-managed by FortiIPAM.

  4. Set Network size as needed.

  5. Enable DHCP Server. The DHCP settings will be configured by FortiIPAM.

  6. Click OK.

To view the IP allocation map in the GUI:
  1. Go to Network > Interfaces and edit port5.

    The interface should have received an IP address from FortiIPAM.

  2. Click Show Global IP Allocation Map. FortiCloud opens in your default browser.

  3. Click Login and log in to FortiCloud.

  4. In the FortiIPAM portal, click on the root FortiGate's subnet then select the SOURCE tab.

    The columns show the device serial number, the interface, how the interface is assigned, and when it was last updated.

To configure DHCP on the downstream FortiGate in the GUI:
  1. Go to System > FortiGuard and verify FortiIPAM is licensed.

  2. Go to Network > Interfaces and edit port5.

  3. Set Addressing mode to DHCP.

  4. Click OK.

  5. Edit port5 again, and confirm that it received an IP address from the DHCP server configured on the root FortiGate.

To add the downstream FortiGate to the Security Fabric in the GUI:
  1. Go to Security Fabric > Fabric Connectors and edit Security Fabric Setup.

  2. Set Status to Enabled.

  3. Set Security Fabric role to Join Existing Fabric.

  4. Enter the FortiGate Root IP address as the Upstream FortiGate IP.

  5. Click OK.

To configure the interface that connects to the internal network to use FortiIPAM on the downstream FortiGate in the GUI:
  1. Go to Network > Interfaces and edit port6.

  2. Set Role to LAN.

  3. Set Addressing mode to Auto-managed by FortiIPAM.

  4. Set Network size as needed.

  5. Enable DHCP Server. The DHCP settings will be configured by FortiIPAM.

  6. Click OK.

To view the IP allocation map in the GUI:
  1. Go to Network > Interfaces and edit port6.

  2. The interface should have received an IP address from FortiIPAM.

  3. Click Show Global IP Allocation Map. FortiCloud opens in your default browser.

  4. Click Loginand log in to FortiCloud.

  5. In the FortiIPAM portal, click on a subnet and confirm that the IP address is different than the root FortiGate's IP address.

To configure FortiIPAM in the CLI:
  1. Verify the FortiIPAM service registration:

    # diagnose test update info
    ...
    System contracts:
    ...
        IPMC,Mon Jun  6 17:00:00 2022
    ...
  2. Configure the interface on the root FortiGate:

    config system interface
        edit "port5"
            set vdom "root"
            set ip-managed-by-fortiipam enable
            set managed-subnetwork-size 256
        next
    end
    config system dhcp server
        edit 1
            set interface "port5"
            set dhcp-settings-from-fortiipam enable
        next
    end
  3. View the IP address and DHCP information from the FortiIPAM:

    # show system interface
    config system interface
        edit "port5"
            set vdom "root"
            set ip 10.128.1.1 255.255.255.0
            set type physical
            set device-identification enable
            set lldp-transmission enable
            set role lan
            set snmp-index 4
            set ip-managed-by-fortiipam enable
        next
    end
    # show system dhcp server
    config system dhcp server
        edit 1
            set dns-service default
            set default-gateway 10.128.0.1
            set netmask 255.255.255.0
            set interface "port5"
            config ip-range
                edit 1
                    set start-ip 10.128.0.1
                    set end-ip 10.128.0.254
                next
            end
            set dhcp-settings-from-fortiipam enable
            config exclude-range
                edit 1
                    set start-ip 10.128.0.1
                    set end-ip 10.128.0.1
                next
            end
        next
    end
  4. Configure DHCP on the downstream FortiGate:

    config system interface
        edit "port5"
            set mode dhcp
        next
    end
  5. Add the downstream FortiGate to the Security Fabric

    config system csf
        set status enable
        set upstream-ip 10.128.0.1
    end
  6. On the downstream FortiGate, configure the interface that connects to the internal network to use FortiIPAM:

    config system interface
        edit "port6"
            set ip-managed-by-fortiipam enable
            set managed-subnetwork-size 512
        next
    end
    config system dhcp server
        edit 1
            set interface "port6"
            set dhcp-settings-from-fortiipam enable
        next
    end
Tooltip

You can also use the REST API to view the FortiIPAM service information:

https://172.16.116.xxx/api/v2/monitor/license/status
..."fortiipam_cloud":{
    "type":"live_cloud_service",
    "status":"licensed",
    "expires":1618531200,
    "entitlement":"IPMC"
}