Fortinet black logo

Cisco ACI Administration Guide

Home FortiGate Private Cloud 6.4.0 Cisco ACI Administration Guide
6.4.0
7.4.0
7.2.0
7.0.0
6.4.0

Configuring FortiOS

Configuring FortiOS

To configure the deployment in FortiOS:
  1. Create a PBR virtual domain (VDOM). You must make all following configurations in the PBR VDOM.
  2. Configure a VLAN interface under port 1 with VLAN ID 400:
    1. Go to Network > Interfaces.
    2. Click Create New.
    3. In the Name field, enter vlan400.
    4. For Type, select VLAN.
    5. For Interface, select port1.
    6. In the VLAN ID field, enter 400.
    7. In the VRF ID field, enter 0.
    8. From the Role dropdown list, select LAN.
    9. In the IP/Netmask field, enter 172.16.254/255.255.255.0. Save the interface.

  3. Go to Policy & Objects > Firewall Policy. Configure policies as desired.
  4. Configure a static route to the APIC FW_Svc_OneArm BD GW IP address:
    1. Go to Network > Static Routes.
    2. Click Create New.
    3. Set Destination to Subnet, and leave the IP address and subnet mask as 0.0.0.0/0.0.0.0.
    4. In the Gateway Address field, enter the APIC FW_Svc_OneArm BD GW IP address, which is 172.16.1.1.
    5. From the Interface dropdown list, select vlan400.
    6. Save the configuration.

  5. Go to Log & Report > Forward Traffic. Confirm that you can view the Web and Application EPG traffic, indicating that it is redirected to the FortiGate for inspection.

  6. Run the following commands in the CLI to configure FGCP and FGSP for cluster1:

    config system ha

    set group-id 112

    set group-name "fortinet112"

    set mode a-p

    set pass ENC 6v7bvuVAmnjUK8GLToPP4ctq9GdqRH37cZ01WfMbJzBTXg53bc8KF1C0QFHk9AEzen695Q

    set hbdev "ha" 512

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set ha-mgmt-status enable

    config ha-mgmt-status enable

    edit 1

    set interface "mgmt"

    set gateway 192.168.139.254

    next

    end

    set override disable

    set ha-direct enable

    end

    config system cluster-sync

    edit 5

    set peerip 172.16.88.2

    set syncvd "PBR"

    next

    end

    config system standalone-cluster

    set standalone-group-id 112

    set session-sync-dev "port3"

    end

    note icon

    By default, FortiOS sets layer2-connection to unavailable. If layer2-connection is set to available, the configuration may have issues.

  7. Run the following commands in the CLI to configure FGCP and FGSP for cluster2:

    config system ha

    set group-id 112

    set group-name "fortinet112112"

    set mode a-p

    set pass ENC bhU6+uYFf7IpqOirYnFWOMhGxbpJkXY8bdHWfg9o6x2Wg+IFId6ZEJUGqe2W1ots+g==

    set hbdev "ha" 512

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set ha-mgmt-status enable

    config ha-mgmt-status enable

    edit 1

    set interface "mgmt"

    set gateway 192.168.139.254

    next

    end

    set override disable

    set ha-direct enable

    end

    config system cluster-sync

    edit 5

    set peerip 172.16.88.2

    set syncvd "PBR"

    next

    end

    config system standalone-cluster

    set standalone-group-id 112

    set group-member-id 1

    set session-sync-dev "port6"

    end

    note icon

    By default, FortiOS sets layer2-connection to unavailable. If layer2-connection is set to available, the configuration may have issues.

  8. To debug cluster1, you can run the following commands. The screenshot shows the expected output of each command:

    1. diagnose system ha status

    2. diagnose system ha standalone-peers

    3. diagnose system ha session-sync-dev

  9. To debug cluster2, you can run the following commands. The screenshot shows the expected output of each command:

    1. diagnose system ha status

    2. diagnose system ha standalone-peers

    3. diagnose system ha session-sync-dev

Previous
Next

Configuring FortiOS

To configure the deployment in FortiOS:
  1. Create a PBR virtual domain (VDOM). You must make all following configurations in the PBR VDOM.
  2. Configure a VLAN interface under port 1 with VLAN ID 400:
    1. Go to Network > Interfaces.
    2. Click Create New.
    3. In the Name field, enter vlan400.
    4. For Type, select VLAN.
    5. For Interface, select port1.
    6. In the VLAN ID field, enter 400.
    7. In the VRF ID field, enter 0.
    8. From the Role dropdown list, select LAN.
    9. In the IP/Netmask field, enter 172.16.254/255.255.255.0. Save the interface.

  3. Go to Policy & Objects > Firewall Policy. Configure policies as desired.
  4. Configure a static route to the APIC FW_Svc_OneArm BD GW IP address:
    1. Go to Network > Static Routes.
    2. Click Create New.
    3. Set Destination to Subnet, and leave the IP address and subnet mask as 0.0.0.0/0.0.0.0.
    4. In the Gateway Address field, enter the APIC FW_Svc_OneArm BD GW IP address, which is 172.16.1.1.
    5. From the Interface dropdown list, select vlan400.
    6. Save the configuration.

  5. Go to Log & Report > Forward Traffic. Confirm that you can view the Web and Application EPG traffic, indicating that it is redirected to the FortiGate for inspection.

  6. Run the following commands in the CLI to configure FGCP and FGSP for cluster1:

    config system ha

    set group-id 112

    set group-name "fortinet112"

    set mode a-p

    set pass ENC 6v7bvuVAmnjUK8GLToPP4ctq9GdqRH37cZ01WfMbJzBTXg53bc8KF1C0QFHk9AEzen695Q

    set hbdev "ha" 512

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set ha-mgmt-status enable

    config ha-mgmt-status enable

    edit 1

    set interface "mgmt"

    set gateway 192.168.139.254

    next

    end

    set override disable

    set ha-direct enable

    end

    config system cluster-sync

    edit 5

    set peerip 172.16.88.2

    set syncvd "PBR"

    next

    end

    config system standalone-cluster

    set standalone-group-id 112

    set session-sync-dev "port3"

    end

    note icon

    By default, FortiOS sets layer2-connection to unavailable. If layer2-connection is set to available, the configuration may have issues.

  7. Run the following commands in the CLI to configure FGCP and FGSP for cluster2:

    config system ha

    set group-id 112

    set group-name "fortinet112112"

    set mode a-p

    set pass ENC bhU6+uYFf7IpqOirYnFWOMhGxbpJkXY8bdHWfg9o6x2Wg+IFId6ZEJUGqe2W1ots+g==

    set hbdev "ha" 512

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set ha-mgmt-status enable

    config ha-mgmt-status enable

    edit 1

    set interface "mgmt"

    set gateway 192.168.139.254

    next

    end

    set override disable

    set ha-direct enable

    end

    config system cluster-sync

    edit 5

    set peerip 172.16.88.2

    set syncvd "PBR"

    next

    end

    config system standalone-cluster

    set standalone-group-id 112

    set group-member-id 1

    set session-sync-dev "port6"

    end

    note icon

    By default, FortiOS sets layer2-connection to unavailable. If layer2-connection is set to available, the configuration may have issues.

  8. To debug cluster1, you can run the following commands. The screenshot shows the expected output of each command:

    1. diagnose system ha status

    2. diagnose system ha standalone-peers

    3. diagnose system ha session-sync-dev

  9. To debug cluster2, you can run the following commands. The screenshot shows the expected output of each command:

    1. diagnose system ha status

    2. diagnose system ha standalone-peers

    3. diagnose system ha session-sync-dev

Previous
Next