Configure IPAM locally on the FortiGate
IPAM (IP address management) is available locally on the FortiGate. A standalone FortiGate, or a Fabric root in the Security Fabric, can act as the IPAM server. Interfaces configured to be auto-managed by IPAM will receive an address from the IPAM server's address/subnet pool. DHCP Server is automatically enabled in the GUI, and the address range is populated by IPAM. Users can customize the address pool subnet and the size of a subnet that an interface can request.
To configure IPAM settings:
config system ipam set pool-subnet <class IP and netmask> set status {enable | disable} end
pool-subnet <class IP and netmask> |
Set the IPAM pool subnet, class A or class B subnet. |
status {enable | disable} |
Enable/disable IP address management services. |
In previous FortiOS versions, the set fortiipam-integration
option was configured under config system global
.
The following options are available for allocating the subnet size:
config system interface set managed-subnetwork-size {32 | 64 | 128 | 256 |512 | 1024 | 2048 | 4096 | 8192 | 16384 | 32768 | 65536} end
Example
In this example, FGT_AA is the Security Fabric root with IPAM enabled. FGT_BB and FGT_CC are downstream Fabric devices and retrieve IPAM information from FGT_AA. The Fabric interface on all FortiGates is port2. FGT_AA acts as the DHCP server, and FGT_BB acts as the DHCP client.
To configure IPAM locally in the Security Fabric:
-
On the root FortiGate, go to Network > Interfaces and edit port3.
-
For Addressing Mode, select Auto-Managed by IPAM. DHCP Server is automatically enabled.
-
In this example, IPAM is not enabled yet. Click Enable IPAM. The Edit Fabric Connector pane opens.
-
Enter the Pool subnet (only class A and B are allowed) and click OK. The root FortiGate is now the IPAM server in the Security Fabric. The following is configured in the backend:
config system interface edit "port3" set vdom "root" set ip 172.31.0.1 255.255.255.0 set type physical set device-identification enable set snmp-index 5 set ip-managed-by-fortiipam enable end next end config system ipam set status enable end
IPAM is managing a 172.31.0.0/16 network and assigned port3 a /24 network by default.
The IP/Netmask field in the Address section has been automatically assigned a class C IP by IPAM. The Address range and Netmask fields in the DHCP Server section have also been automatically configured by IPAM.
-
Click OK.
-
Log in to FGT-BB and set the Addressing Mode of port4 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.1.1/24.
-
Log in to FG_CC and set the Addressing Mode of port34 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.2.1/24.
Any interface on a downstream FortiGate can be managed by the IPAM server. The interface does not have to be directly connected to the Fabric root FortiGate. |
To edit the IPAM subnet:
-
Go to Security Fabric > Fabric Connectors and double-click the IP Address Management (IPAM) card.
-
Edit the pool subnet if needed.
-
In the right-side pane, click View Allocated IP Addresses to view the subnet allocations (port34, port3, and port3) and DHCP lease information. On FGT_BB, port3 is a DHCP client and the DHCP server interface (FGT_AA port3) is managed by IPAM, so it is displayed in the Manually Configured section.
The same allocated IP address information is available in the IP Address Management (IPAM) widget that can be added to the Dashboard > Status page.
-
Click OK.
On downstream FortiGates, the settings on the IP Address Management (IPAM) card cannot be changed if IPAM is enabled on the root FortiGate.
Diagnostics
Use the following commands to view IPAM related diagnostics.
To view the largest available subnet size:
# diagnose sys ipam largest-available-subnet Largest available subnet is a /17.
To verify IPAM allocation information:
# diagnose sys ipam dump-ipams-entries IPAM Entries: (sn, vdom, interface, subnet/mask, flag) F140EP4Q17000000 root port34 172.31.2.1/24 0 FG5H1E5818900001 root port3 172.31.0.1/24 0 FG5H1E5818900002 root port4 172.31.1.1/24 0 FG5H1E5818900003 root port3 172.31.0.2/24 1
To verify the available subnets:
# diagnose sys ipam dump-ipams-free-subnets IPAM free subnets: (subnet/mask) 172.31.3.0/24 172.31.4.0/22 172.31.8.0/21 172.31.16.0/20 172.31.32.0/19 172.31.64.0/18 172.31.128.0/17
To remove a device from IPAM in the Security Fabric:
# diagnose sys ipam delete-device-from-ipams F140EP4Q17000000 Successfully removed device F140EP4Q17000000 from ipam