Fortinet black logo

Administration Guide

Configure IPAM locally on the FortiGate

Configure IPAM locally on the FortiGate

IPAM (IP address management) is available locally on the FortiGate. A standalone FortiGate, or a Fabric root in the Security Fabric, can act as the IPAM server. Interfaces configured to be auto-managed by IPAM will receive an address from the IPAM server's address/subnet pool. DHCP Server is automatically enabled in the GUI, and the address range is populated by IPAM. Users can customize the address pool subnet and the size of a subnet that an interface can request.

Interfaces with a LAN role, wireless network interfaces (vap-switch type), and FortiExtender LAN extension interfaces (lan-extension type) can receive an IP address from an IPAM server without any additional configuration at the interface level (see Interfaces for more information).

IPAM detects and resolves any IP conflicts that may occur on the interfaces that it manages. Users have the option to manually edit the interface or reallocate the IP.

IPAM can be configured on the Network > IPAM page using the IPAM Settings, IPAM Rules, IPAM Interfaces, and IPAM Subnets tabs.

To configure IPAM settings in the GUI:
  1. Go to Network > IPAM and select the IPAM Settings tab.

  2. Enable or disable the following settings:

    1. Status
    2. Auto-resolve conflicts
    3. Interfaces with LAN role
    4. FortiAP SSIDs
    5. FortiExtender LAN extensions
  3. Click OK.

To configure IPAM settings in the CLI:
config system ipam
    set pool-subnet <class IP and netmask>
    set status {enable | disable}
    set automatic-conflict-resolution {enable | disable}
    set manage-lan-addresses {enable | disable}
    set manage-lan-extension-addresses {enable | disable}
    set manage-ssid-addresses {enable | disable}	
    config pools
        edit <pool_name>
            set subnet <IP address/netmask>
        next
    end
    config rules
        edit <rule_name>
            set device <name1> <name2> ...
            set interface <name1> <name2> ...
            set pool <pool_name>
        next
    end
end

pool-subnet <class IP and netmask>

Set the IPAM pool subnet, class A or class B subnet.

status {enable | disable}

Enable/disable IP address management services.

automatic-conflict-resolution {enable | disable}

Enable/disable automatic conflict resolution.

When automatic-conflict-resolution is enabled, IPAM will periodically check and validate the addresses of all interfaces. In case of any conflicts, IPAM will automatically attempt to obtain a new address for the affected interface managed by IPAM, ensuring no address duplication.

manage-lan-addresses {enable | disable}*

Enable/disable default management of LAN interface addresses.

manage-lan-extension-addresses {enable | disable}*

Enable/disable default management of FortiExtender LAN extension interface addresses.

manage-ssid-addresses {enable | disable}*

Enable/disable default management of FortiAP SSID addresses.

config pools

Set the subnet for the IP pool.

config rules

Set the device, interface, and IP pool for IPAM rules.

* When a manage- option is enabled, any interface that meets the specified criteria will automatically receive an IP address from IPAM. However, if this option is disabled, interfaces that meet the criteria will not be configured by IPAM. All manage- options are disabled by default. The central FortiIPAM configuration can be overridden at the interface level.

To override the central FortiIPAM configuration at the interface level:
config system interface
    edit <name>
        set ip-managed-by-fortiipam {enable | disable | inherit-global}
    next 
end
Note

The default setting is to inherit from the global configuration (inherit-global) through the relevant manage- option under config system ipam.

The following options are available for allocating the subnet size:

config system interface
    set managed-subnetwork-size {32 | 64 | 128 | 256 |512 | 1024 | 2048 | 4096 | 8192 | 16384 | 32768 | 65536}
end

Example 1: physical interfaces

In this example, FGT_AA is the Security Fabric root with IPAM enabled. FGT_BB and FGT_CC are downstream Fabric devices and retrieve IPAM information from FGT_AA. The Fabric interface on all FortiGates is port2. FGT_AA acts as the DHCP server, and FGT_BB acts as the DHCP client.

To configure IPAM locally in the Security Fabric:
  1. On the root FortiGate, go to Network > Interfaces and edit port3.

  2. For Addressing Mode, select Auto-Managed by IPAM. DHCP Server is automatically enabled.

  3. In this example, IPAM is not enabled yet. Click Enable IPAM. The Subnets Managed by IPAM pane opens.

  4. Select Enabled, enter the Pool subnet (only class A and B are allowed) and click OK. The root FortiGate is now the IPAM server in the Security Fabric.

    The following is configured in the backend:

    config system interface
        edit "port3"
            set vdom "root"
            set ip 172.31.0.1 255.255.0.0
            set type physical
            set device-identification enable
            set snmp-index 5
            set ip-managed-by-fortiipam enable
            end
        next
    end
    
    config system ipam
        set status enable
    end

    IPAM is managing a 172.31.0.0/16 network and assigned port3 a /24 network by default.

    The IP/Netmask field in the Address section has been automatically assigned a class C IP by IPAM. The Address range and Netmask fields in the DHCP Server section have also been automatically configured by IPAM.

  5. Click OK.

  6. Log in to FGT-BB and set the Addressing Mode of port4 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.1.1/24.

  7. Log in to FG_CC and set the Addressing Mode of port34 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.2.1/24.

Note

Any interface on a downstream FortiGate can be managed by the IPAM server. The interface does not have to be directly connected to the Fabric root FortiGate.

To edit the IPAM subnet:
  1. Go to Network > IPAM > IPAM Settings.

  2. Edit the pool subnet if needed.

  3. Click OK.

    On downstream FortiGates, the settings on the Network > IPAM > IPAM Settings tab cannot be changed if IPAM is enabled on the root FortiGate.

Note

Go to Network > IPAM > IPAM Interfaces to view the subnet allocations (port34, port3, and port3) and DHCP lease information. On FGT_BB, port3 is a DHCP client and the DHCP server interface (FGT_AA port3) is managed by IPAM, so it is displayed in the Manually Configured section.

Example 2: wireless network and FortiExtender LAN extension interfaces

In this example, the FortiGate serves as the Security Fabric root and has two interfaces: test-ssid (vap-switch type) and FG019TM22004646 (lan-extension type). Currently, neither interface has an IP address assigned to it.

To configure IPAM on the root FortiGate:
  1. Go to Network > IPAM and select the IPAM Settings tab.

  2. Enable the Status, Auto-resolve conflicts, Interfaces with LAN role, FortiAP SSIDs, and FortiExtender LAN extensions settings.

    Note

    IPAM is disabled by default, so all these options are disabled by default. Each option must be activated individually to function, and they do not depend on one another.

  3. Click OK.

    After enabling IPAM on the root FortiGate with the specified settings, FortiGates that are part of the Security Fabric and have an interface set to either the LAN role, vap-switch type, or lan-extension type will automatically receive an IP assignment from the IPAM server without requiring any additional configuration at the interface level.

  4. Verify the list of IPAM entries:

    # diagnose sys ipam list entries 
    Entries: (sn, vdom, interface, subnet/mask, conflict)
    
    IPAM Entries:
      FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24      
      FGVM08TM22004645 root test-ssid 192.168.2.254/24

When a downstream FortiGate joins the Security Fabric, the port7 interface is configured with a static IP (192.168.4.254/24), and port8 is set to a LAN role with no IP address assigned. The IPAM server assigns an IP to port8 of the downstream FortiGate since its role was set to LAN. It is observed that the FG019TM22004646 interface of the root FortiGate conflicts with port7 of the downstream FortiGate.

To verify the IP address conflict resolution:
  1. On the root FortiGate, go to Network > IPAM and select the IPAM Interfaces tab.

    There is a conflict marker (warning icon) beside the IP address of FG019TM22004646 due to a conflict between the IPAM-assigned interface FG019TM22004646 of the root FortiGate and the manually configured interface of the downstream FortiGate.

    1. Verify the list of IPAM entries in the CLI:

      # diagnose sys ipam list entries 
      Entries: (sn, vdom, interface, subnet/mask, conflict)
      
        IPAM Entries:
        FGVM08TM22004645 root test-ssid 192.168.2.254/24  
        FGVM08TM22004647 root port8 192.168.3.254/24  
        FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24 C
  2. After some time, since Auto-resolve conflicts is enabled in the IPAM settings, the conflict is resolved automatically.

    FG019TM22004646 has been assigned a new IP address of 192.168.1.254/24.

    If Auto-resolve conflicts is disabled in the IPAM settings, mouse over the conflict marker and select Reallocate IP to manually reallocate the IP address.

    1. Verify the list of IPAM entries in the CLI:

      # diagnose sys ipam list entries 
      Entries: (sn, vdom, interface, subnet/mask, conflict)
      
        IPAM Entries:
        FGVM08TM22004645 root FG019TM22004646 192.168.1.254/24  
        FGVM08TM22004645 root test-ssid 192.168.2.254/24  
        FGVM08TM22004647 root port8 192.168.3.254/24 

Diagnostics

Use the following commands to view IPAM related diagnostics.

To view the largest available subnet size:
# diagnose sys ipam largest-available-subnet
Largest available subnet is a /17.
To verify IPAM allocation information:
# diagnose sys ipam list entries
IPAM Entries: (sn, vdom, interface, subnet/mask, flag)
  F140EP4Q17000000 root port34 172.31.2.1/24 0
  FG5H1E5818900001 root port3 172.31.0.1/24 0
  FG5H1E5818900002 root port4 172.31.1.1/24 0
  FG5H1E5818900003 root port3 172.31.0.2/24 1
To verify the available subnets:
# diagnose sys ipam list subnets
IPAM free subnets: (subnet/mask)
  172.31.3.0/24
  172.31.4.0/22
  172.31.8.0/21
  172.31.16.0/20
  172.31.32.0/19
  172.31.64.0/18
  172.31.128.0/17
To remove a device from IPAM in the Security Fabric:
# diagnose sys ipam delete device F140EP4Q17000000
Successfully removed device F140EP4Q17000000 from ipam

Configure IPAM locally on the FortiGate

IPAM (IP address management) is available locally on the FortiGate. A standalone FortiGate, or a Fabric root in the Security Fabric, can act as the IPAM server. Interfaces configured to be auto-managed by IPAM will receive an address from the IPAM server's address/subnet pool. DHCP Server is automatically enabled in the GUI, and the address range is populated by IPAM. Users can customize the address pool subnet and the size of a subnet that an interface can request.

Interfaces with a LAN role, wireless network interfaces (vap-switch type), and FortiExtender LAN extension interfaces (lan-extension type) can receive an IP address from an IPAM server without any additional configuration at the interface level (see Interfaces for more information).

IPAM detects and resolves any IP conflicts that may occur on the interfaces that it manages. Users have the option to manually edit the interface or reallocate the IP.

IPAM can be configured on the Network > IPAM page using the IPAM Settings, IPAM Rules, IPAM Interfaces, and IPAM Subnets tabs.

To configure IPAM settings in the GUI:
  1. Go to Network > IPAM and select the IPAM Settings tab.

  2. Enable or disable the following settings:

    1. Status
    2. Auto-resolve conflicts
    3. Interfaces with LAN role
    4. FortiAP SSIDs
    5. FortiExtender LAN extensions
  3. Click OK.

To configure IPAM settings in the CLI:
config system ipam
    set pool-subnet <class IP and netmask>
    set status {enable | disable}
    set automatic-conflict-resolution {enable | disable}
    set manage-lan-addresses {enable | disable}
    set manage-lan-extension-addresses {enable | disable}
    set manage-ssid-addresses {enable | disable}	
    config pools
        edit <pool_name>
            set subnet <IP address/netmask>
        next
    end
    config rules
        edit <rule_name>
            set device <name1> <name2> ...
            set interface <name1> <name2> ...
            set pool <pool_name>
        next
    end
end

pool-subnet <class IP and netmask>

Set the IPAM pool subnet, class A or class B subnet.

status {enable | disable}

Enable/disable IP address management services.

automatic-conflict-resolution {enable | disable}

Enable/disable automatic conflict resolution.

When automatic-conflict-resolution is enabled, IPAM will periodically check and validate the addresses of all interfaces. In case of any conflicts, IPAM will automatically attempt to obtain a new address for the affected interface managed by IPAM, ensuring no address duplication.

manage-lan-addresses {enable | disable}*

Enable/disable default management of LAN interface addresses.

manage-lan-extension-addresses {enable | disable}*

Enable/disable default management of FortiExtender LAN extension interface addresses.

manage-ssid-addresses {enable | disable}*

Enable/disable default management of FortiAP SSID addresses.

config pools

Set the subnet for the IP pool.

config rules

Set the device, interface, and IP pool for IPAM rules.

* When a manage- option is enabled, any interface that meets the specified criteria will automatically receive an IP address from IPAM. However, if this option is disabled, interfaces that meet the criteria will not be configured by IPAM. All manage- options are disabled by default. The central FortiIPAM configuration can be overridden at the interface level.

To override the central FortiIPAM configuration at the interface level:
config system interface
    edit <name>
        set ip-managed-by-fortiipam {enable | disable | inherit-global}
    next 
end
Note

The default setting is to inherit from the global configuration (inherit-global) through the relevant manage- option under config system ipam.

The following options are available for allocating the subnet size:

config system interface
    set managed-subnetwork-size {32 | 64 | 128 | 256 |512 | 1024 | 2048 | 4096 | 8192 | 16384 | 32768 | 65536}
end

Example 1: physical interfaces

In this example, FGT_AA is the Security Fabric root with IPAM enabled. FGT_BB and FGT_CC are downstream Fabric devices and retrieve IPAM information from FGT_AA. The Fabric interface on all FortiGates is port2. FGT_AA acts as the DHCP server, and FGT_BB acts as the DHCP client.

To configure IPAM locally in the Security Fabric:
  1. On the root FortiGate, go to Network > Interfaces and edit port3.

  2. For Addressing Mode, select Auto-Managed by IPAM. DHCP Server is automatically enabled.

  3. In this example, IPAM is not enabled yet. Click Enable IPAM. The Subnets Managed by IPAM pane opens.

  4. Select Enabled, enter the Pool subnet (only class A and B are allowed) and click OK. The root FortiGate is now the IPAM server in the Security Fabric.

    The following is configured in the backend:

    config system interface
        edit "port3"
            set vdom "root"
            set ip 172.31.0.1 255.255.0.0
            set type physical
            set device-identification enable
            set snmp-index 5
            set ip-managed-by-fortiipam enable
            end
        next
    end
    
    config system ipam
        set status enable
    end

    IPAM is managing a 172.31.0.0/16 network and assigned port3 a /24 network by default.

    The IP/Netmask field in the Address section has been automatically assigned a class C IP by IPAM. The Address range and Netmask fields in the DHCP Server section have also been automatically configured by IPAM.

  5. Click OK.

  6. Log in to FGT-BB and set the Addressing Mode of port4 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.1.1/24.

  7. Log in to FG_CC and set the Addressing Mode of port34 to Auto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.2.1/24.

Note

Any interface on a downstream FortiGate can be managed by the IPAM server. The interface does not have to be directly connected to the Fabric root FortiGate.

To edit the IPAM subnet:
  1. Go to Network > IPAM > IPAM Settings.

  2. Edit the pool subnet if needed.

  3. Click OK.

    On downstream FortiGates, the settings on the Network > IPAM > IPAM Settings tab cannot be changed if IPAM is enabled on the root FortiGate.

Note

Go to Network > IPAM > IPAM Interfaces to view the subnet allocations (port34, port3, and port3) and DHCP lease information. On FGT_BB, port3 is a DHCP client and the DHCP server interface (FGT_AA port3) is managed by IPAM, so it is displayed in the Manually Configured section.

Example 2: wireless network and FortiExtender LAN extension interfaces

In this example, the FortiGate serves as the Security Fabric root and has two interfaces: test-ssid (vap-switch type) and FG019TM22004646 (lan-extension type). Currently, neither interface has an IP address assigned to it.

To configure IPAM on the root FortiGate:
  1. Go to Network > IPAM and select the IPAM Settings tab.

  2. Enable the Status, Auto-resolve conflicts, Interfaces with LAN role, FortiAP SSIDs, and FortiExtender LAN extensions settings.

    Note

    IPAM is disabled by default, so all these options are disabled by default. Each option must be activated individually to function, and they do not depend on one another.

  3. Click OK.

    After enabling IPAM on the root FortiGate with the specified settings, FortiGates that are part of the Security Fabric and have an interface set to either the LAN role, vap-switch type, or lan-extension type will automatically receive an IP assignment from the IPAM server without requiring any additional configuration at the interface level.

  4. Verify the list of IPAM entries:

    # diagnose sys ipam list entries 
    Entries: (sn, vdom, interface, subnet/mask, conflict)
    
    IPAM Entries:
      FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24      
      FGVM08TM22004645 root test-ssid 192.168.2.254/24

When a downstream FortiGate joins the Security Fabric, the port7 interface is configured with a static IP (192.168.4.254/24), and port8 is set to a LAN role with no IP address assigned. The IPAM server assigns an IP to port8 of the downstream FortiGate since its role was set to LAN. It is observed that the FG019TM22004646 interface of the root FortiGate conflicts with port7 of the downstream FortiGate.

To verify the IP address conflict resolution:
  1. On the root FortiGate, go to Network > IPAM and select the IPAM Interfaces tab.

    There is a conflict marker (warning icon) beside the IP address of FG019TM22004646 due to a conflict between the IPAM-assigned interface FG019TM22004646 of the root FortiGate and the manually configured interface of the downstream FortiGate.

    1. Verify the list of IPAM entries in the CLI:

      # diagnose sys ipam list entries 
      Entries: (sn, vdom, interface, subnet/mask, conflict)
      
        IPAM Entries:
        FGVM08TM22004645 root test-ssid 192.168.2.254/24  
        FGVM08TM22004647 root port8 192.168.3.254/24  
        FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24 C
  2. After some time, since Auto-resolve conflicts is enabled in the IPAM settings, the conflict is resolved automatically.

    FG019TM22004646 has been assigned a new IP address of 192.168.1.254/24.

    If Auto-resolve conflicts is disabled in the IPAM settings, mouse over the conflict marker and select Reallocate IP to manually reallocate the IP address.

    1. Verify the list of IPAM entries in the CLI:

      # diagnose sys ipam list entries 
      Entries: (sn, vdom, interface, subnet/mask, conflict)
      
        IPAM Entries:
        FGVM08TM22004645 root FG019TM22004646 192.168.1.254/24  
        FGVM08TM22004645 root test-ssid 192.168.2.254/24  
        FGVM08TM22004647 root port8 192.168.3.254/24 

Diagnostics

Use the following commands to view IPAM related diagnostics.

To view the largest available subnet size:
# diagnose sys ipam largest-available-subnet
Largest available subnet is a /17.
To verify IPAM allocation information:
# diagnose sys ipam list entries
IPAM Entries: (sn, vdom, interface, subnet/mask, flag)
  F140EP4Q17000000 root port34 172.31.2.1/24 0
  FG5H1E5818900001 root port3 172.31.0.1/24 0
  FG5H1E5818900002 root port4 172.31.1.1/24 0
  FG5H1E5818900003 root port3 172.31.0.2/24 1
To verify the available subnets:
# diagnose sys ipam list subnets
IPAM free subnets: (subnet/mask)
  172.31.3.0/24
  172.31.4.0/22
  172.31.8.0/21
  172.31.16.0/20
  172.31.32.0/19
  172.31.64.0/18
  172.31.128.0/17
To remove a device from IPAM in the Security Fabric:
# diagnose sys ipam delete device F140EP4Q17000000
Successfully removed device F140EP4Q17000000 from ipam