Configure IPAM locally on the FortiGate
IPAM (IP address management) is available locally on the FortiGate. A standalone FortiGate, or a Fabric root in the Security Fabric, can act as the IPAM server. Interfaces configured to be auto-managed by IPAM will receive an address from the IPAM server's address/subnet pool. DHCP Server is automatically enabled in the GUI, and the address range is populated by IPAM. Users can customize the address pool subnet and the size of a subnet that an interface can request.
Interfaces with a LAN role, wireless network interfaces (vap-switch
type), and FortiExtender LAN extension interfaces (lan-extension
type) can receive an IP address from an IPAM server without any additional configuration at the interface level (see Interfaces for more information).
IPAM detects and resolves any IP conflicts that may occur on the interfaces that it manages.
IPAM can be configured on the Network > IPAM page using the IPAM Settings, IPAM Rules, and IPAM Interfaces tabs.
To configure IPAM settings:
config system ipam set pool-subnet <class IP and netmask> set status {enable | disable} set automatic-conflict-resolution {enable | disable} set manage-lan-addresses {enable | disable} set manage-lan-extension-addresses {enable | disable} set manage-ssid-addresses {enable | disable} config pools edit <pool_name> set subnet <IP address/netmask> next end config rules edit <rule_name> set device <name1> <name2> ... set interface <name1> <name2> ... set pool <pool_name> next end end
pool-subnet <class IP and netmask> |
Set the IPAM pool subnet, class A or class B subnet. |
status {enable | disable} |
Enable/disable IP address management services. |
automatic-conflict-resolution {enable | disable} |
Enable/disable automatic conflict resolution. When |
manage-lan-addresses {enable | disable}* |
Enable/disable default management of LAN interface addresses. |
manage-lan-extension-addresses {enable | disable}* |
Enable/disable default management of FortiExtender LAN extension interface addresses. |
manage-ssid-addresses {enable | disable}* |
Enable/disable default management of FortiAP SSID addresses. |
config pools |
Set the subnet for the IP pool. |
config rules |
Set the device, interface, and IP pool for IPAM rules. |
* When a manage-
option is enabled, any interface that meets the specified criteria will automatically receive an IP address from IPAM. However, if this option is disabled, interfaces that meet the criteria will not be configured by IPAM. All manage-
options are disabled by default. The central FortiIPAM configuration can be overridden at the interface level.
To override the central FortiIPAM configuration at the interface level:
config system interface edit <name> set ip-managed-by-fortiipam {enable | disable | inherit-global} next end
The default setting is to inherit from the global configuration ( |
The following options are available for allocating the subnet size:
config system interface set managed-subnetwork-size {32 | 64 | 128 | 256 |512 | 1024 | 2048 | 4096 | 8192 | 16384 | 32768 | 65536} end
Example 1: physical interfaces
In this example, FGT_AA is the Security Fabric root with IPAM enabled. FGT_BB and FGT_CC are downstream Fabric devices and retrieve IPAM information from FGT_AA. The Fabric interface on all FortiGates is port2. FGT_AA acts as the DHCP server, and FGT_BB acts as the DHCP client.
To configure IPAM locally in the Security Fabric:
-
On the root FortiGate, go to Network > Interfaces and edit port3.
-
For Addressing Mode, select Auto-Managed by IPAM. DHCP Server is automatically enabled.
-
In this example, IPAM is not enabled yet. Click Enable IPAM. The Subnets Managed by IPAM pane opens.
-
Select Enabled, enter the Pool subnet (only class A and B are allowed) and click OK. The root FortiGate is now the IPAM server in the Security Fabric.
The following is configured in the backend:
config system interface edit "port3" set vdom "root" set ip 172.31.0.1 255.255.0.0 set type physical set device-identification enable set snmp-index 5 set ip-managed-by-fortiipam enable end next end config system ipam set status enable end
IPAM is managing a 172.31.0.0/16 network and assigned port3 a /24 network by default.
The IP/Netmask field in the Address section has been automatically assigned a class C IP by IPAM. The Address range and Netmask fields in the DHCP Server section have also been automatically configured by IPAM.
-
Click OK.
-
Log in to FGT-BB and set the Addressing Mode of port4 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.1.1/24.
-
Log in to FG_CC and set the Addressing Mode of port34 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.2.1/24.
Any interface on a downstream FortiGate can be managed by the IPAM server. The interface does not have to be directly connected to the Fabric root FortiGate. |
To edit the IPAM subnet:
-
Go to Network > IPAM > IPAM Settings.
-
Edit the pool subnet if needed.
-
Click OK.
On downstream FortiGates, the settings on the Network > IPAM > IPAM Settings tab cannot be changed if IPAM is enabled on the root FortiGate.
Go to Network > IPAM > IPAM Interfaces to view the subnet allocations (port34, port3, and port3) and DHCP lease information. On FGT_BB, port3 is a DHCP client and the DHCP server interface (FGT_AA port3) is managed by IPAM, so it is displayed in the Manually Configured section. |
Example 2: wireless network and FortiExtender LAN extension interfaces NEW
In this example, the FortiGate serves as the Security Fabric root and has two interfaces: test-ssid (vap-switch
type) and FG019TM22004646 (lan-extension
type). Currently, neither interface has an IP address assigned to it.
To configure IPAM on the root FortiGate:
config system ipam set status enable set automatic-conflict-resolution enable set manage-lan-addresses enable set manage-lan-extension-addresses enable set manage-ssid-addresses enable end
IPAM is disabled by default, so all these options are disabled by default. Each option must be activated individually to function, and they do not depend on one another. |
After enabling IPAM on the root FortiGate with the specified settings, FortiGates that are part of the Security Fabric and have an interface set to either the LAN role, vap-switch
type, or lan-extension
type will automatically receive an IP assignment from the IPAM server without requiring any additional configuration at the interface level.
To verify the list of IPAM entries:
root # diagnose sys ipam list entries Entries: (sn, vdom, interface, subnet/mask, conflict) IPAM Entries: FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24 FGVM08TM22004645 root test-ssid 192.168.2.254/24
When a downstream FortiGate joins the Security Fabric, the port7 interface is configured with a static IP (192.168.4.254/24), and port8 is set to a LAN role with no IP address assigned. The IPAM server assigns an IP to port8 of the downstream FortiGate since its role was set to LAN. It is observed that the FG019TM22004646 interface of the root FortiGate conflicts with port7 of the downstream FortiGate.
The IPAM server assigned an IP to port8 of the downstream FortiGate since its role was set to LAN. However, there is a conflict between the IPAM-assigned interface FG019TM22004646 of the root FortiGate and the manually configured interface of the downstream FortiGate.
To verify the list of IPAM entries:
root # diagnose sys ipam list entries Entries: (sn, vdom, interface, subnet/mask, conflict) IPAM Entries: FGVM08TM22004645 root test-ssid 192.168.2.254/24 FGVM08TM22004647 root port8 192.168.3.254/24 FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24 C
Since automatic-conflict-resolution
is enabled in the IPAM settings, the administrator does not need to manually unset the IP address on the interface. The conflict will be resolved automatically:
root # diagnose sys ipam list entries Entries: (sn, vdom, interface, subnet/mask, conflict) IPAM Entries: FGVM08TM22004645 root FG019TM22004646 192.168.1.254/24 FGVM08TM22004645 root test-ssid 192.168.2.254/24 FGVM08TM22004647 root port8 192.168.3.254/24
IPAM conflict markers
The IPAM Interfaces tab displays conflict markers when there are IP pool IP address conflicts with manually configured IP addresses. Administrators can use the Edit Interface dialog to manually resolve the conflict.
To resolve conflicts in the GUI:
-
Go to Network > IPAM > IPAM Interfaces.
-
Hover your mouse over the conflict marker. The conflict marker information is displayed.
-
Click Edit Interface. The Edit Interface pane opens.
-
Enter a new IP address and netmask in the IP/Netmask field.
-
Click OK. A confirmation message is displayed.
-
Click OK.
Diagnostics
Use the following commands to view IPAM related diagnostics.
To view the largest available subnet size:
# diagnose sys ipam largest-available-subnet Largest available subnet is a /17.
To verify IPAM allocation information:
# diagnose sys ipam dump-ipams-entries IPAM Entries: (sn, vdom, interface, subnet/mask, flag) F140EP4Q17000000 root port34 172.31.2.1/24 0 FG5H1E5818900001 root port3 172.31.0.1/24 0 FG5H1E5818900002 root port4 172.31.1.1/24 0 FG5H1E5818900003 root port3 172.31.0.2/24 1
To verify the available subnets:
# diagnose sys ipam dump-ipams-free-subnets IPAM free subnets: (subnet/mask) 172.31.3.0/24 172.31.4.0/22 172.31.8.0/21 172.31.16.0/20 172.31.32.0/19 172.31.64.0/18 172.31.128.0/17
To remove a device from IPAM in the Security Fabric:
# diagnose sys ipam delete-device-from-ipams F140EP4Q17000000 Successfully removed device F140EP4Q17000000 from ipam