Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

FortiExtender LAN extension in public cloud FGT-VM 7.0.4

The FortiExtender LAN extension feature allows a FortiGate to extend its LAN functionality to a remote FortiExtender. In this enhancement, the FortiExtender LAN extension is added to the FGT-VM running on Public Clouds.

Topology in demo configuration:

GUI

The LAN-extension interface is up on the FGT-AWS.

The FGT-AWS LAN-extension interface is able to act as a DHCP server over VXLAN, and remote branch computers (In this demo, it's an FGT61F) behind the FortiExtender is able to get IP addresses from the DHCP server on the FGT-AWS LAN-extension interface.

CLI

Step 1: Configure the FortiExtender:

 FX200F5919000000 # config system interface
    FX200F5919000000 (interface) # edit port1
    FX200F5919000000 (port1) # set mode static
    FX200F5919000000 (port1) <M> # set ip 5.5.5.1/24
    FX200F5919000000 (port1) <M> # set gateway 5.5.5.99
    FX200F5919000000 (port1) <M> # end
    
    FX200F5919000000 # execute ping 18.234.125.193
    PING 18.234.125.193 (18.234.125.193): 56 data bytes
    64 bytes from 18.234.125.193: seq=0 ttl=233 time=68.132 ms
    
    FX200F5919000000 # config system management
    FX200F5919000000 (management) # set discovery-type fortigate
    Changing "discovery-type" may affect networking mode and virtual-wire-pair configuration, resulting in system reboot!
    Do you want to continue? (y/n)y
    
    FX200F5919000000 (management) <M> # config fortigate
    FX200F5919000000 (fortigate) # set ac-discovery-type static
    FX200F5919000000 (fortigate) <M> # config static-ac-addr
    FX200F5919000000 (static-ac-addr) # edit 1
    FX200F5919000000 (1) <M> # set server 18.234.125.193
    FX200F5919000000 (1) <M> # next
    FX200F5919000000 (static-ac-addr) # end
    FX200F5919000000 (fortigate) <M> # set discovery-intf port1
    FX200F5919000000 (fortigate) <M> # end
    FX200F5919000000 (management) <M> # end

    config system switch-interface
        edit le-switch
            set members le-agg-link lan
            set stp disable
        next
    end
    edit lan
        set type lan-switch
        set status up
        set mode static
        set ip
        set gateway
        set mtu-override enable
        set mtu 1500
        set distance 50
        set vrrp-virtual-mac enable
        config vrrp
            set status disable
        end
        set allowaccess http https ssh ping telnet
    next
    config system lan-switch
        config ports
            edit port4
            next
            edit port5
            next
        end
    end

Step 2: Configure the FGT-AWS:

FGT-AWS-EXT # show system global
    config system global
        set fortiextender enable
        set hostname "FGT-AWS-EXT"
    end
    config system interface
        edit "port1"
            set allowaccess ping https ssh http fgfm fabric
        next
    end
    config extender-controller extender  <=======This table is automatically added after FGT detects the FEXT over "fabric" protocol on the port1
        edit "FX0035919000000"
            set id "FX200F5919000000"
            set device-id 0
            set extension-type lan-extension
            set profile "FX200F-lanext-default"
        next
    end
    config extender-controller extender-profile
        edit "FX200F-lanext-default"
            set id 0
            set model FX200F
            set extension lan-extension
            config lan-extension
                set ipsec-tunnel "fext-ipsec-ufLq"
                set backhaul-interface "port1"
                set backhaul-ip "18.234.125.193"
                config backhaul
                    edit "1"
                        set port port1
                        set role primary
                    next
                end
            end
        next
    end
    config extender-controller extender
        edit "FX0035919000000"
            set authorized enable
        next
    end

Step 3: IPSec is connected between FGT-AWS and FEXT automatically. No need to configure it manually. Ensure that IPSec works:

FGT-AWS-EXT # sh vpn ipsec phase1-interface
            config vpn ipsec phase1-interface
                edit "fext-ipsec-v3JH"
                    set type dynamic
                    set interface "port1"
                    set ike-version 2
                    set peertype one
                    set net-device disable
                    set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
                    set localid "localid-760sv1bSXj2wrUASE1uwcryLKi1XEUlmh1v1FehZ2u97lqHDPUkCjFh"
                    set dpd on-idle
                    set comments "[FX200F-lanext-default] Do NOT edit. Automatically generated by extender controller."
                    set peerid "peerid-4GyQg3yg01w5ye7oaPQNQlQs9fM8qyXReabC3lBsOPeZGSdiqfJp8tjl"
                    set psksecret ENC IyjGZpuZykJBmtOL4cfEoQQ/yNM4N1kDXvB/TBq6dXlzeXymkw8cyoizM2a8SeyWao2sGnLCkqqkHItruVfy7jy10dMp6AzaFlnxP6f9k8hTEBKxqUOS3+ccvSLFWvM7ouuaWgA6Hdu4StWsBVMc85tBFe+H6PTnVpRFaRCYQE0yatuM9tcWQXCilsuv66HlAYvGlw==
                    set dpd-retryinterval 60
                next
            end
        
        FGT-AWS-EXT # diagnose vpn tunnel list
            list all ipsec tunnel in vd 0
            ------------------------------------------------------
            name=fext-ipsec-v3JH_0 ver=2 serial=3 10.0.1.175:4500->204.101.161.19:64916 tun_id=204.101.161.19 tun_id6=::10.0.0.3 dst_mtu=9001 dpd-link=on weight=1
            bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/9088 options[2380]=rgwy-chg rport-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
            parent=fext-ipsec-v3JH index=0
            proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0
            stat: rxp=6334 txp=710 rxb=1190272 txb=62655
            dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
            natt: mode=keepalive draft=0 interval=10 remote_port=64916
            proxyid=fext-ipsec-v3JH proto=0 sa=1 ref=4 serial=1 add-route
              src: 0:10.252.0.1-10.252.0.1:0
              dst: 0:10.252.0.2-10.252.0.2:0
              SA:  ref=3 options=682 type=00 soft=0 mtu=8926 expire=40316/0B replaywin=2048
                   seqno=2c7 esn=0 replaywin_lastseq=000018be itn=0 qat=0 hash_search_len=1
              life: type=01 bytes=0/0 timeout=43189/43200
              dec: spi=07c1e02b esp=aes key=16 b0e867d4cb6b4ebc6778ea7dff3819db
                   ah=sha1 key=20 70e681e26a5bdcaa60e16f32d714b4ee74073306
              enc: spi=c6e96e0d esp=aes key=16 139e01770682b809d24702bb9c446e8f
                   ah=sha1 key=20 89ffb4be3b6b9db9145be6f0d37ee49d01940a2f
              dec:pkts/bytes=6334/764822, enc:pkts/bytes=710/115536
            ------------------------------------------------------
            name=fext-ipsec-v3JH ver=2 serial=1 10.0.1.175:0->0.0.0.0:0 tun_id=10.0.0.1 tun_id6=::10.0.0.1 dst_mtu=0 dpd-link=on weight=1
            bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc  accept_traffic=1 overlay_id=0
            proxyid_num=0 child_num=1 refcnt=3 ilast=2907 olast=2907 ad=/0
            stat: rxp=6336 txp=712 rxb=1190592 txb=62823
            dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
            natt: mode=none draft=0 interval=0 remote_port=0
            run_tally=0

Step 4: Ensure that VXLAN over IPSec is set up automatically between the FGT cloud VM and the FortiExtender. No need to configure it manually.

 FGT-AWS-EXT # diagnose sys vxlan fdb list FX0035919000000
            mac=00:00:00:00:00:00 state=0x0082 remote_ip=10.252.0.2 port=9999 vni=0 ifindex=9
            mac=e8:1c:ba:c4:4e:b8 state=0x0002 remote_ip=10.252.0.2 port=9999 vni=0 ifindex=9
            mac=04:d5:90:7a:50:a8 state=0x0002 remote_ip=10.252.0.2 port=9999 vni=0 ifindex=9

            total fdb num: 3

Step 5: Set the IP address for the FGT-AWS LAN-extension interface, and ensure that the FGT-AWS LAN-extension interface is able to act as DHCP server over VXLAN:

FGT-AWS-EXT # show system dhcp server 100

config system dhcp server
    edit 100
        set default-gateway 192.168.3.99
        set netmask 255.255.255.0
        set interface "FX0035919000000"
        config ip-range
            edit 1
                set start-ip 192.168.3.2
                set end-ip 192.168.3.98
            next
        end
    next
end

config system interface
    edit "FX0035919000000"
        set vdom "root"
        set ip 192.168.3.99 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set type lan-extension
        set role lan
        set snmp-index 7
        set interface "fext-ipsec-v3JH"
    next
end



***** FEXT le-switch interface is able to get the ip (192.168.3.2) from FGT-AWS vxlan interface dhcp server
FX200F5919000000 # get system interface
== [ le-switch ]
name: le-switch       status: online/up/link up       type: switch          mac: e8:1c:ba:c4:4e:b8   mode: dhcp            ip: 192.168.3.2/24      mtu: 1500
                    gateway: 192.168.3.99

***** Remote branch PC behind FEXT lan interface is able to get the ip from FGT-AWS vxlan interface dhcp server. 
In this demo, a FGT61F acts as a PC behind FEXT, this FGT61 wan1 interface is the same switch as FEXT lan interface port4. 
Set FGT61 wan1 interface as dhcp client, it can get ip address (in this demo it's 192.168.3.3) from FGT-AWS lan-extension interface.

FGT61FTK19006594 # show system interface wan1
config system interface
    edit "wan1"
        set vdom "root"
        set mode dhcp
        set allowaccess ping https ssh snmp
        set type physical
        set role wan
        set snmp-index 1
    next
end

FGT61FTK19006594 # diag hardware deviceinfo nic wan1
Current_HWaddr       04:d5:90:7a:50:a8
Permanent_HWaddr     04:d5:90:7a:50:a8

Step 6: Ensure that the FGT-AWS is able to access the remote branch behind the FortiExtender via VXLAN:

FGT-AWS-EXT # exec ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3): 56 data bytes
64 bytes from 192.168.3.3: icmp_seq=0 ttl=255 time=68.9 ms
64 bytes from 192.168.3.3: icmp_seq=1 ttl=255 time=68.6 ms

FGT-AWS-EXT # diag ip arp list
index=13 ifname=FX0035919000000 192.168.3.3 04:d5:90:7a:50:a8 state=00000008 use=362 confirm=362 update=429 ref=3

 

FortiExtender LAN extension in public cloud FGT-VM 7.0.4

The FortiExtender LAN extension feature allows a FortiGate to extend its LAN functionality to a remote FortiExtender. In this enhancement, the FortiExtender LAN extension is added to the FGT-VM running on Public Clouds.

Topology in demo configuration:

GUI

The LAN-extension interface is up on the FGT-AWS.

The FGT-AWS LAN-extension interface is able to act as a DHCP server over VXLAN, and remote branch computers (In this demo, it's an FGT61F) behind the FortiExtender is able to get IP addresses from the DHCP server on the FGT-AWS LAN-extension interface.

CLI

Step 1: Configure the FortiExtender:

 FX200F5919000000 # config system interface
    FX200F5919000000 (interface) # edit port1
    FX200F5919000000 (port1) # set mode static
    FX200F5919000000 (port1) <M> # set ip 5.5.5.1/24
    FX200F5919000000 (port1) <M> # set gateway 5.5.5.99
    FX200F5919000000 (port1) <M> # end
    
    FX200F5919000000 # execute ping 18.234.125.193
    PING 18.234.125.193 (18.234.125.193): 56 data bytes
    64 bytes from 18.234.125.193: seq=0 ttl=233 time=68.132 ms
    
    FX200F5919000000 # config system management
    FX200F5919000000 (management) # set discovery-type fortigate
    Changing "discovery-type" may affect networking mode and virtual-wire-pair configuration, resulting in system reboot!
    Do you want to continue? (y/n)y
    
    FX200F5919000000 (management) <M> # config fortigate
    FX200F5919000000 (fortigate) # set ac-discovery-type static
    FX200F5919000000 (fortigate) <M> # config static-ac-addr
    FX200F5919000000 (static-ac-addr) # edit 1
    FX200F5919000000 (1) <M> # set server 18.234.125.193
    FX200F5919000000 (1) <M> # next
    FX200F5919000000 (static-ac-addr) # end
    FX200F5919000000 (fortigate) <M> # set discovery-intf port1
    FX200F5919000000 (fortigate) <M> # end
    FX200F5919000000 (management) <M> # end

    config system switch-interface
        edit le-switch
            set members le-agg-link lan
            set stp disable
        next
    end
    edit lan
        set type lan-switch
        set status up
        set mode static
        set ip
        set gateway
        set mtu-override enable
        set mtu 1500
        set distance 50
        set vrrp-virtual-mac enable
        config vrrp
            set status disable
        end
        set allowaccess http https ssh ping telnet
    next
    config system lan-switch
        config ports
            edit port4
            next
            edit port5
            next
        end
    end

Step 2: Configure the FGT-AWS:

FGT-AWS-EXT # show system global
    config system global
        set fortiextender enable
        set hostname "FGT-AWS-EXT"
    end
    config system interface
        edit "port1"
            set allowaccess ping https ssh http fgfm fabric
        next
    end
    config extender-controller extender  <=======This table is automatically added after FGT detects the FEXT over "fabric" protocol on the port1
        edit "FX0035919000000"
            set id "FX200F5919000000"
            set device-id 0
            set extension-type lan-extension
            set profile "FX200F-lanext-default"
        next
    end
    config extender-controller extender-profile
        edit "FX200F-lanext-default"
            set id 0
            set model FX200F
            set extension lan-extension
            config lan-extension
                set ipsec-tunnel "fext-ipsec-ufLq"
                set backhaul-interface "port1"
                set backhaul-ip "18.234.125.193"
                config backhaul
                    edit "1"
                        set port port1
                        set role primary
                    next
                end
            end
        next
    end
    config extender-controller extender
        edit "FX0035919000000"
            set authorized enable
        next
    end

Step 3: IPSec is connected between FGT-AWS and FEXT automatically. No need to configure it manually. Ensure that IPSec works:

FGT-AWS-EXT # sh vpn ipsec phase1-interface
            config vpn ipsec phase1-interface
                edit "fext-ipsec-v3JH"
                    set type dynamic
                    set interface "port1"
                    set ike-version 2
                    set peertype one
                    set net-device disable
                    set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
                    set localid "localid-760sv1bSXj2wrUASE1uwcryLKi1XEUlmh1v1FehZ2u97lqHDPUkCjFh"
                    set dpd on-idle
                    set comments "[FX200F-lanext-default] Do NOT edit. Automatically generated by extender controller."
                    set peerid "peerid-4GyQg3yg01w5ye7oaPQNQlQs9fM8qyXReabC3lBsOPeZGSdiqfJp8tjl"
                    set psksecret ENC IyjGZpuZykJBmtOL4cfEoQQ/yNM4N1kDXvB/TBq6dXlzeXymkw8cyoizM2a8SeyWao2sGnLCkqqkHItruVfy7jy10dMp6AzaFlnxP6f9k8hTEBKxqUOS3+ccvSLFWvM7ouuaWgA6Hdu4StWsBVMc85tBFe+H6PTnVpRFaRCYQE0yatuM9tcWQXCilsuv66HlAYvGlw==
                    set dpd-retryinterval 60
                next
            end
        
        FGT-AWS-EXT # diagnose vpn tunnel list
            list all ipsec tunnel in vd 0
            ------------------------------------------------------
            name=fext-ipsec-v3JH_0 ver=2 serial=3 10.0.1.175:4500->204.101.161.19:64916 tun_id=204.101.161.19 tun_id6=::10.0.0.3 dst_mtu=9001 dpd-link=on weight=1
            bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/9088 options[2380]=rgwy-chg rport-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
            parent=fext-ipsec-v3JH index=0
            proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0
            stat: rxp=6334 txp=710 rxb=1190272 txb=62655
            dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
            natt: mode=keepalive draft=0 interval=10 remote_port=64916
            proxyid=fext-ipsec-v3JH proto=0 sa=1 ref=4 serial=1 add-route
              src: 0:10.252.0.1-10.252.0.1:0
              dst: 0:10.252.0.2-10.252.0.2:0
              SA:  ref=3 options=682 type=00 soft=0 mtu=8926 expire=40316/0B replaywin=2048
                   seqno=2c7 esn=0 replaywin_lastseq=000018be itn=0 qat=0 hash_search_len=1
              life: type=01 bytes=0/0 timeout=43189/43200
              dec: spi=07c1e02b esp=aes key=16 b0e867d4cb6b4ebc6778ea7dff3819db
                   ah=sha1 key=20 70e681e26a5bdcaa60e16f32d714b4ee74073306
              enc: spi=c6e96e0d esp=aes key=16 139e01770682b809d24702bb9c446e8f
                   ah=sha1 key=20 89ffb4be3b6b9db9145be6f0d37ee49d01940a2f
              dec:pkts/bytes=6334/764822, enc:pkts/bytes=710/115536
            ------------------------------------------------------
            name=fext-ipsec-v3JH ver=2 serial=1 10.0.1.175:0->0.0.0.0:0 tun_id=10.0.0.1 tun_id6=::10.0.0.1 dst_mtu=0 dpd-link=on weight=1
            bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc  accept_traffic=1 overlay_id=0
            proxyid_num=0 child_num=1 refcnt=3 ilast=2907 olast=2907 ad=/0
            stat: rxp=6336 txp=712 rxb=1190592 txb=62823
            dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
            natt: mode=none draft=0 interval=0 remote_port=0
            run_tally=0

Step 4: Ensure that VXLAN over IPSec is set up automatically between the FGT cloud VM and the FortiExtender. No need to configure it manually.

 FGT-AWS-EXT # diagnose sys vxlan fdb list FX0035919000000
            mac=00:00:00:00:00:00 state=0x0082 remote_ip=10.252.0.2 port=9999 vni=0 ifindex=9
            mac=e8:1c:ba:c4:4e:b8 state=0x0002 remote_ip=10.252.0.2 port=9999 vni=0 ifindex=9
            mac=04:d5:90:7a:50:a8 state=0x0002 remote_ip=10.252.0.2 port=9999 vni=0 ifindex=9

            total fdb num: 3

Step 5: Set the IP address for the FGT-AWS LAN-extension interface, and ensure that the FGT-AWS LAN-extension interface is able to act as DHCP server over VXLAN:

FGT-AWS-EXT # show system dhcp server 100

config system dhcp server
    edit 100
        set default-gateway 192.168.3.99
        set netmask 255.255.255.0
        set interface "FX0035919000000"
        config ip-range
            edit 1
                set start-ip 192.168.3.2
                set end-ip 192.168.3.98
            next
        end
    next
end

config system interface
    edit "FX0035919000000"
        set vdom "root"
        set ip 192.168.3.99 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set type lan-extension
        set role lan
        set snmp-index 7
        set interface "fext-ipsec-v3JH"
    next
end



***** FEXT le-switch interface is able to get the ip (192.168.3.2) from FGT-AWS vxlan interface dhcp server
FX200F5919000000 # get system interface
== [ le-switch ]
name: le-switch       status: online/up/link up       type: switch          mac: e8:1c:ba:c4:4e:b8   mode: dhcp            ip: 192.168.3.2/24      mtu: 1500
                    gateway: 192.168.3.99

***** Remote branch PC behind FEXT lan interface is able to get the ip from FGT-AWS vxlan interface dhcp server. 
In this demo, a FGT61F acts as a PC behind FEXT, this FGT61 wan1 interface is the same switch as FEXT lan interface port4. 
Set FGT61 wan1 interface as dhcp client, it can get ip address (in this demo it's 192.168.3.3) from FGT-AWS lan-extension interface.

FGT61FTK19006594 # show system interface wan1
config system interface
    edit "wan1"
        set vdom "root"
        set mode dhcp
        set allowaccess ping https ssh snmp
        set type physical
        set role wan
        set snmp-index 1
    next
end

FGT61FTK19006594 # diag hardware deviceinfo nic wan1
Current_HWaddr       04:d5:90:7a:50:a8
Permanent_HWaddr     04:d5:90:7a:50:a8

Step 6: Ensure that the FGT-AWS is able to access the remote branch behind the FortiExtender via VXLAN:

FGT-AWS-EXT # exec ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3): 56 data bytes
64 bytes from 192.168.3.3: icmp_seq=0 ttl=255 time=68.9 ms
64 bytes from 192.168.3.3: icmp_seq=1 ttl=255 time=68.6 ms

FGT-AWS-EXT # diag ip arp list
index=13 ifname=FX0035919000000 192.168.3.3 04:d5:90:7a:50:a8 state=00000008 use=362 confirm=362 update=429 ref=3