Fortinet black logo

New Features

Configure IPAM locally on the FortiGate 7.0.2

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:374095
Download PDF

Configure IPAM locally on the FortiGate 7.0.2

IPAM (IP address management) is now available locally on the FortiGate. A standalone FortiGate, or a Fabric root in the Security Fabric, can act as the IPAM server. Interfaces configured to be auto-managed by IPAM will receive an address from the IPAM server's address/subnet pool. DHCP Server is automatically enabled in the GUI, and the address range is populated by IPAM. Users can customize the address pool subnet and the size of a subnet that an interface can request.

To configure IPAM settings:
config system ipam
    set pool-subnet <class IP and netmask>
    set status {enable | disable}
end

pool-subnet <class IP and netmask>

Set the IPAM pool subnet, class A or class B subnet.

status {enable | disable}

Enable/disable IP address management services.

In previous FortiOS versions, the set fortiipam-integration option was configured under config system global.

Three additional options are available (32, 64, and 128) for allocating the subnet size:

config system interface
    set managed-subnetwork-size {32 | 64 | 128 | 256 |512 | 1024 | 2048 | 4096 | 8192 | 16384 | 32768 | 65536}
end

Example

In this example, FGT_AA is the Security Fabric root with IPAM enabled. FGT_BB and FGT_CC are downstream Fabric devices and retrieve IPAM information from FGT_AA. The Fabric interface on all FortiGates is port2. FGT_AA acts as the DHCP server, and FGT_BB acts as the DHCP client.

To configure IPAM locally in the Security Fabric:
  1. On the root FortiGate, go to Network > Interfaces and edit port3.

  2. For Addressing Mode, select Auto-Managed by IPAM. DHCP Server is automatically enabled.

  3. In this example, IPAM is not enabled yet. Click Enable IPAM. The Edit Fabric Connector pane opens.

  4. Enter the Pool subnet (only class A and B are allowed) and click OK. The root FortiGate is now the IPAM server in the Security Fabric. The following is configured in the backend:

    config system interface
        edit "port3"
            set vdom "root"
            set ip 172.31.0.1 255.255.255.0
            set type physical
            set device-identification enable
            set snmp-index 5
            set ip-managed-by-fortiipam enable
            end
        next
    end
    
    config system ipam
        set status enable
    end

    IPAM is managing a 172.31.0.0/16 network and assigned port3 a /24 network by default.

    The IP/Netmask field in the Address section has been automatically assigned a class C IP by IPAM. The Address range and Netmask fields in the DHCP Server section have also been automatically configured by IPAM.

  5. Click OK.

  6. Log in to FGT-BB and set the Addressing Mode of port4 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.1.1/24.

  7. Log in to FG_CC and set the Addressing Mode of port34 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.2.1/24.

Note

Any interface on a downstream FortiGate can be managed by the IPAM server. The interface does not have to be directly connected to the Fabric root FortiGate.

To edit the IPAM subnet:
  1. Go to Security Fabric > Fabric Connectors and double-click the IP Address Management (IPAM) card.

  2. Edit the pool subnet if needed.

  3. In the right-side pane, click View Allocated IP Addresses to view the subnet allocations (port34, port3, and port3) and DHCP lease information. On FGT_BB, port3 is a DHCP client and the DHCP server interface (FGT_AA port3) is managed by IPAM, so it is displayed in the Manually Configured section.

    Tooltip

    The same allocated IP address information is available in the IP Address Management (IPAM) widget that can be added to the Dashboard > Status page.

  4. Click OK.

    On downstream FortiGates, the settings on the IP Address Management (IPAM) card cannot be changed if IPAM is enabled on the root FortiGate.

Diagnostics

Use the following commands to view IPAM related diagnostics.

To view the largest available subnet size:
# diagnose sys ipam largest-available-subnet
Largest available subnet is a /17.
To verify IPAM allocation information:
# diagnose sys ipam dump-ipams-entries
IPAM Entries: (sn, vdom, interface, subnet/mask, flag)
  F140EP4Q17000000 root port34 172.31.2.1/24 0
  FG5H1E5818900001 root port3 172.31.0.1/24 0
  FG5H1E5818900002 root port4 172.31.1.1/24 0
  FG5H1E5818900003 root port3 172.31.0.2/24 1
To verify the available subnets:
# diagnose sys ipam dump-ipams-free-subnets
IPAM free subnets: (subnet/mask)
  172.31.3.0/24
  172.31.4.0/22
  172.31.8.0/21
  172.31.16.0/20
  172.31.32.0/19
  172.31.64.0/18
  172.31.128.0/17
To remove a device from IPAM in the Security Fabric:
# diagnose sys ipam delete-device-from-ipams F140EP4Q17000000
Successfully removed device F140EP4Q17000000 from ipam

Configure IPAM locally on the FortiGate 7.0.2

IPAM (IP address management) is now available locally on the FortiGate. A standalone FortiGate, or a Fabric root in the Security Fabric, can act as the IPAM server. Interfaces configured to be auto-managed by IPAM will receive an address from the IPAM server's address/subnet pool. DHCP Server is automatically enabled in the GUI, and the address range is populated by IPAM. Users can customize the address pool subnet and the size of a subnet that an interface can request.

To configure IPAM settings:
config system ipam
    set pool-subnet <class IP and netmask>
    set status {enable | disable}
end

pool-subnet <class IP and netmask>

Set the IPAM pool subnet, class A or class B subnet.

status {enable | disable}

Enable/disable IP address management services.

In previous FortiOS versions, the set fortiipam-integration option was configured under config system global.

Three additional options are available (32, 64, and 128) for allocating the subnet size:

config system interface
    set managed-subnetwork-size {32 | 64 | 128 | 256 |512 | 1024 | 2048 | 4096 | 8192 | 16384 | 32768 | 65536}
end

Example

In this example, FGT_AA is the Security Fabric root with IPAM enabled. FGT_BB and FGT_CC are downstream Fabric devices and retrieve IPAM information from FGT_AA. The Fabric interface on all FortiGates is port2. FGT_AA acts as the DHCP server, and FGT_BB acts as the DHCP client.

To configure IPAM locally in the Security Fabric:
  1. On the root FortiGate, go to Network > Interfaces and edit port3.

  2. For Addressing Mode, select Auto-Managed by IPAM. DHCP Server is automatically enabled.

  3. In this example, IPAM is not enabled yet. Click Enable IPAM. The Edit Fabric Connector pane opens.

  4. Enter the Pool subnet (only class A and B are allowed) and click OK. The root FortiGate is now the IPAM server in the Security Fabric. The following is configured in the backend:

    config system interface
        edit "port3"
            set vdom "root"
            set ip 172.31.0.1 255.255.255.0
            set type physical
            set device-identification enable
            set snmp-index 5
            set ip-managed-by-fortiipam enable
            end
        next
    end
    
    config system ipam
        set status enable
    end

    IPAM is managing a 172.31.0.0/16 network and assigned port3 a /24 network by default.

    The IP/Netmask field in the Address section has been automatically assigned a class C IP by IPAM. The Address range and Netmask fields in the DHCP Server section have also been automatically configured by IPAM.

  5. Click OK.

  6. Log in to FGT-BB and set the Addressing Mode of port4 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.1.1/24.

  7. Log in to FG_CC and set the Addressing Mode of port34 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.2.1/24.

Note

Any interface on a downstream FortiGate can be managed by the IPAM server. The interface does not have to be directly connected to the Fabric root FortiGate.

To edit the IPAM subnet:
  1. Go to Security Fabric > Fabric Connectors and double-click the IP Address Management (IPAM) card.

  2. Edit the pool subnet if needed.

  3. In the right-side pane, click View Allocated IP Addresses to view the subnet allocations (port34, port3, and port3) and DHCP lease information. On FGT_BB, port3 is a DHCP client and the DHCP server interface (FGT_AA port3) is managed by IPAM, so it is displayed in the Manually Configured section.

    Tooltip

    The same allocated IP address information is available in the IP Address Management (IPAM) widget that can be added to the Dashboard > Status page.

  4. Click OK.

    On downstream FortiGates, the settings on the IP Address Management (IPAM) card cannot be changed if IPAM is enabled on the root FortiGate.

Diagnostics

Use the following commands to view IPAM related diagnostics.

To view the largest available subnet size:
# diagnose sys ipam largest-available-subnet
Largest available subnet is a /17.
To verify IPAM allocation information:
# diagnose sys ipam dump-ipams-entries
IPAM Entries: (sn, vdom, interface, subnet/mask, flag)
  F140EP4Q17000000 root port34 172.31.2.1/24 0
  FG5H1E5818900001 root port3 172.31.0.1/24 0
  FG5H1E5818900002 root port4 172.31.1.1/24 0
  FG5H1E5818900003 root port3 172.31.0.2/24 1
To verify the available subnets:
# diagnose sys ipam dump-ipams-free-subnets
IPAM free subnets: (subnet/mask)
  172.31.3.0/24
  172.31.4.0/22
  172.31.8.0/21
  172.31.16.0/20
  172.31.32.0/19
  172.31.64.0/18
  172.31.128.0/17
To remove a device from IPAM in the Security Fabric:
# diagnose sys ipam delete-device-from-ipams F140EP4Q17000000
Successfully removed device F140EP4Q17000000 from ipam