IPAM enhancements 7.4.1

This information is also available in the FortiOS 7.4 Administration Guide: Configure IPAM locally on the FortiGate

Interfaces with a LAN role, wireless network interfaces (vap-switch type), and FortiExtender LAN extension interfaces (lan-extension type) can now receive an IP address from an IPAM server without any additional configuration at the interface level. IPAM also detects and resolves any IP conflicts that may occur on the interfaces that it manages. See Interfaces in the FortiOS Administration Guide for more information.

This enables easier administration for widely used interfaces in the network and reduces complexity, which usually arise when there are a large number of interfaces to be managed in the network. By using IPAM, network administrators can easily keep track of the various interfaces in their network and ensure that they are properly configured and functioning as intended. This can save time and effort, and helps prevent issues that may arise from misconfigured or improperly managed interfaces.

To configure IPAM in the GUI:

1. Go to Network > IPAM and select the IPAM Settings tab.

2. Configure the following settings:

   Status	Enable/disable integration with IP address management services (IPAM).
   Auto-resolve conflicts	Enable/disable automatic conflict resolution.
   Interfaces with LAN role	Enable/disable LAN interface address management by default.
   FortiAP SSIDs	Enable/disable FortiAP SSID address management by default.
   FortiExtender LAN extensions	Enable/disable FortiExtender LAN extension interface address management by default.

3. Click OK.

To configure IPAM in the CLI:

config system ipam
    set status {enable | disable}
    set automatic-conflict-resolution {enable | disable}
    set manage-lan-addresses {enable | disable}
    set manage-lan-extension-addresses {enable | disable}
    set manage-ssid-addresses {enable | disable}
end

When automatic-conflict-resolution is enabled, IPAM will periodically check and validate the addresses of all interfaces. In case of any conflicts, IPAM will automatically attempt to obtain a new address for the affected interface managed by IPAM, ensuring no address duplication.

When a manage- option is enabled, any interface that meets the specified criteria will automatically receive an IP address from IPAM. However, if this option is disabled, interfaces that meet the criteria will not be configured by IPAM. All manage- options are disabled by default. The central FortiIPAM configuration can be overridden at the interface level.

To override the central FortiIPAM configuration at the interface level:

config system interface
    edit <name>
        set ip-managed-by-fortiipam {enable | disable | inherit-global}
    next 
end

The default setting is to inherit from the global configuration (inherit-global) through the relevant manage- option under config system ipam.

Example

In this example, the FortiGate serves as the Security Fabric root and has two interfaces: test-ssid (vap-switch type) and FG019TM22004646 (lan-extension type). Currently, neither interface has an IP address assigned to it.

To configure IPAM on the root FortiGate:

1. Go to Network > IPAM and select the IPAM Settings tab.

2. Enable the Status, Auto-resolve conflicts, Interfaces with LAN role, FortiAP SSIDs, and FortiExtender LAN extensions settings.

   IPAM is disabled by default, so all these options are disabled by default. Each option must be activated individually to function, and they do not depend on one another.

3. Click OK.

   After enabling IPAM on the root FortiGate with the specified settings, FortiGates that are part of the Security Fabric and have an interface set to either the LAN role, vap-switch type, or lan-extension type will automatically receive an IP assignment from the IPAM server without requiring any additional configuration at the interface level.

4. Verify the list of IPAM entries:

   # diagnose sys ipam list entries 
   Entries: (sn, vdom, interface, subnet/mask, conflict)
   
   IPAM Entries:
     FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24      
     FGVM08TM22004645 root test-ssid 192.168.2.254/24 

When a downstream FortiGate joins the Security Fabric, the port7 interface is configured with a static IP (192.168.4.254/24), and port8 is set to a LAN role with no IP address assigned. The IPAM server assigns an IP to port8 of the downstream FortiGate since its role was set to LAN. It is observed that the FG019TM22004646 interface of the root FortiGate conflicts with port7 of the downstream FortiGate.

To verify the IP address conflict resolution:

1. On the root FortiGate, go to Network > IPAM and select the IPAM Interfaces tab.

   

   There is a conflict marker (warning icon) beside the IP address of FG019TM22004646 due to a conflict between the IPAM-assigned interface FG019TM22004646 of the root FortiGate and the manually configured interface of the downstream FortiGate.

   1. Verify the list of IPAM entries in the CLI:

      # diagnose sys ipam list entries 
      Entries: (sn, vdom, interface, subnet/mask, conflict)
      
        IPAM Entries:
        FGVM08TM22004645 root test-ssid 192.168.2.254/24  
        FGVM08TM22004647 root port8 192.168.3.254/24  
        FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24 C

2. After some time, since Auto-resolve conflicts is enabled in the IPAM settings, the conflict is resolved automatically.

   

   FG019TM22004646 has been assigned a new IP address of 192.168.1.254/24.

   If Auto-resolve conflicts is disabled in the IPAM settings, mouse over the conflict marker and select Reallocate IP to manually reallocate the IP address.

   

   1. Verify the list of IPAM entries in the CLI:

      # diagnose sys ipam list entries 
      Entries: (sn, vdom, interface, subnet/mask, conflict)
      
        IPAM Entries:
        FGVM08TM22004645 root FG019TM22004646 192.168.1.254/24  
        FGVM08TM22004645 root test-ssid 192.168.2.254/24  
        FGVM08TM22004647 root port8 192.168.3.254/24