FortiExtender 4.2.2 Admin Guide - AWS

FortiExtender - Admin GuideVersion 4.2.2

FORTINET DOCUMENT LIBRARYhttps://docs.fortinet.com

FORTINET VIDEO GUIDEhttps://video.fortinet.com

FORTINET BLOGhttps://blog.fortinet.com

CUSTOMER SERVICE & SUPPORThttps://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAMhttps://www.fortinet.com/support-and-training/training.html

NSE INSTITUTEhttps://training.fortinet.com

FORTIGUARD CENTERhttps://www.fortiguard.com

END USER LICENSE AGREEMENThttps://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACKEmail: [email protected]

December 24, 2020FortiExtender 4.2.2 Admin Guide

https://docs.fortinet.com/

https://video.fortinet.com/

https://blog.fortinet.com/

https://support.fortinet.com/

https://www.fortinet.com/support-and-training/training.html

https://training.fortinet.com/

https://www.fortiguard.com/

https://www.fortinet.com/doc/legal/EULA.pdf

mailto:[email protected]

TABLE OF CONTENTS

Introduction 6Network topologies 7Integrated with FortiGate 7Deployed on FortiExtender Cloud 7Managed locally 8

Main features and benefits 9Supported hardwaremodels 9Cellular capabilities 9Supported wireless carriers 10SIMmapping 11Add a data plan and APN 11Global SIMwith roaming on 12SIM-switch 12SIM switch-back 13Get modem status 13CAPWAP onmultiple ports for broadcast discovery 14Stopping data traffic on overgaged LTE interface 15

Modes of operation 16IP pass-throughmode 16NATmode 18Local mode 18get extender status 19

Interface management 20Interface configuration guideline 21

Physical interface(s) 21LTE interface 21Tunnel interface 21Virtual-WAN interface 21

Access allowance 22Get interface status 22Configure LAN switch 23Configure switch interface 24Configure VXLAN interface 25Aggregate interface support with load-balancing 26

DHCP configurations 29Configure DHCP server 29Configure DHCP relay 31

Network utilities 32Address 32Service 32Target 32

FortiExtender 4.2.2 Admin Guide 3Fortinet Technologies, Inc.

System routing 34Configure static routing 34Configure PBR routing 35View routing configurations 36Move PBR rules 37Configuremulticast routing 37

Firewalls 39Configure address/subnet 39Configure protocol/port range 39Configure firewall policies 40Move firewall policies 41

VPN 43Configure VPN 43

Configure phase-1 parameters 44Configure phase-2 parameters 45Configure firewall policies 48Configure static routes 49

Check VPN tunnel status 49IPsec VPN support for third-party certificates 49

Import third-party certificates 50Use third-party certificates for IKE authentication 50

Health monitoring 52Monitor interface status 52Perform link health check 53Configure health monitoring 55

Systemmanagement 56FortiGate-FortiExtender zero-touch provisioning (ZTP) 56Get system version 56UpgradeOS firmware 57

TFTP 57FTP 57USB 57FortiExtender Cloud 57GUI 57

Upgrademodem firmware 58TFTP 58FTP 58USB 58FortiExtender Cloud 58GUI 58

SMS notification 58Remote diagnostics via SMS 59Export system logs to remote syslog servers 60Support for SNMP (read-only) and traps 60

Typical SNMP commands 60


Sample SNMP commands 61Executable SNMP commands 62

Configure LTE settings 64Add a new carrier profile 64Add a new operator/carrier 64Create a data plan 65Set the default SIM 66

Set the default SIM by preferred carrier 66Set the default SIM by low cost 66Set the default SIM by SIM slot 67

Enable SIM-switch 67Report to controller 68

Use cases 69Extended cellular WAN of FortiGate 69

Connect to FortiGate 69VLAN mode and performance 71Modem connectivity 71Dual FortiExtender operations 71

Redundant with FGT in IP Pass-throughmode 74Enable DHCP server on FortiExtender and the VRRPmaster router 77Enable DHCP relay on both FortiExtender and the VRRPmaster router 78

DHCP relay 78Manage from FortiExtender Cloud 80

Configure with FortiExtender Cloud 80IP Pass-throughmodewith Cloudmanagement 81NATmodewith Cloudmanagement 81OBM management 82

FEX-201E for FortiGate HA configuration 83Network topology 84Prerequisites 84Configuration procedures 84

Troubleshooting, diagnostics, and debugging 88Troubleshooting 88

Can’t manage the FortiExtender from FortiExtender Cloud 88Can’t start an Internet session 88

Status, diagnostics, and debugging commands 89Diagnose FortiExtender 89

Diagnose from FortiGate 89Diagnose from FortiExtender Cloud 91Diagnose from Telnet 91Collect complete diagnostics information 91

Change Log 93


Introduction

Introduction

FortiExtender is a plug-and-play customer premises equipment (CPE) device. As a 3G/4G LTE wirelessWANextender, FortiExtender can provide a primaryWAN link for retail POS, ATM, and kiosk systems, or a failoverWAN link to your primary Internet connection to ensure business continuity. It can be deployed indoors andoutdoors, and function as a stand-alone wireless router, or integrate with FortiGate or FortiExtender Cloud.

l This Admin Guide applies to FortiExtender OS 4.2.2 and later.


Network topologies

Network topologies

FortiExtender FEX-201E and FEX-211E come with four LAN Ethernet ports and one WAN Ethernet port. Theyall can support multiple devices in NAT mode or a single device in IP pass-through mode. FortiExtender worksas an extended WAN interface when configured in IP pass-through mode, but it functions as a router when inNAT mode.

The following paragraphs highlight the network topologies for the three common use cases for FortiExtender:

l Integrated with FortiGate on page 7l Deployed on FortiExtender Cloud on page 7l Managed locally on page 8

Integrated with FortiGate

Integration with FortiGate requires FortiOS version 6.0.5 or later.

In this scenario, FortiGate manages FortiExtender over the Control and Provisioning of Wireless Access Points(CAPWAP) protocol in IP pass-through mode. Unlike a stand-alone 3G/4G wirelessWAN extender,FortiExtender integrates directly into the FortiGate Connected UTM (Unified Threat Management) and ismanaged from the familiar FortiOS interface. This not only allows security policies to be seamlessly applied toFortiExtender, but also provides visibility to the performance and data usage of the connection.

In this scenario, you can connect a FortiExtender to two FortiGate devices for a high availability (HA)configuration in Active-Passive, and two FortiExtenders to two FortiGate devices in Active-Active deployments,providing dual active redundancy for wirelessWAN access as well.

Deployed on FortiExtender Cloud

FortiExtender Cloud offers hosted management for an unlimited number of FortiExtender devices deployedanywhere around the globe in either IP pass-through or NAT mode.


Network topologies

FortiExtender Cloud provides hosted management of up to three FortiExtender devicesfree of charge to each of its registered customers on FortiCare. To take full advantageof this offering, you must purchase a FortiExtender Cloud license for every additional10 FortiExtender devices to be hosted on FortiExtender Cloud. For more information,see FortiExtender Cloud Admin Guide.

Managed locally

In this scenario, FortiExtender works as a stand-alone device without FortiGate or FortiExtender Cloud. Youcan configure locally on the device itself either from the Console or the GUI. A locally managed FortiExtendercan work in either IP pass-through or NAT mode.


https://docs2.fortinet.com/product/fortiextender-cloud/4.2

Main features and benefits


FortiExtender offers the following main features and benefits:

l Supported hardware models on page 9l Cellular capabilities on page 9l Supported wireless carriers on page 10l SIM mapping on page 11l Add a data plan and APN on page 11l Global SIM with roaming on on page 12l SIM-switch on page 12l Get modem status on page 13l CAPWAP on multiple ports for broadcast discovery on page 14l Stopping data traffic on overgaged LTE interface on page 15

To access your FortiExtender device through its console port, you must set the baudrate to 115200.

Supported hardware models

Model Market

FEX-201E Americas and Europe

FEX-211E Global coverage

FortiExtender 201E and 211E devices come with a Bluetooth button, which is off bydefault. However, when it is turned on, anyone can access the devices via Bluetooth.To safeguard your network, we strongly recommend setting passwords for all yourdevices before deploying them in your environment.

Cellular capabilities

FortiExtender 201E uses the CAT6 EM7455 built-in modem to cover countries in Americas and Europe usingthe following frequencies:

l LTE/4G Bands: 1, 2, 3, 4, 5 ,7,12, 13, 20, 25, 26, 29, 30, and 41l 3G UMTS Bands: 1, 2, 3, 4, 5, and 8



FortiExtender 211E uses the CAT12 EM7565 built-in modem to cover countries in Americas and Europe usingthe following frequencies:

l LTE/4G Bands: 1, 2, 3, 4, 5, 7, 8, 9, 12, 13, 18, 19, 20, 26, 28, 29, 30, 32, 41, 42, 43, 46, 48, and 66l 3G UMTS Bands: 1, 2, 3, 4, 5, 6, 8, 9, and 19

Supported wireless carriers

By default, FortiExtender supports all major wireless carriers in Europe and North America, including thefollowing:

Region Carrier

Europe l A1MobilKoml Bouyguesl O2l Orangel SFRl Swisscoml T-Mobilel Vodafone

North America l AT&Tl Belll Rogersl Sasktell Sprintl Telusl T-Mobilel Verizon

If necessary, you can use the following commands to add a new carrier to the list ofsupported wireless carriers:

config lte carrieredit free

set firmware SWI9X30C_02.32.11.00.cweset pri SWI9X30C_02.32.11.00_GENERIC_002.064_000.nvu

next

FortiExtender also supports other wireless carriers in other parts of the world,depending on the technology and bands used, sometimes requiring specificconfiguration such as APN, but mostly using the generic modem firmware (see below).Operation of FortiExtender with any unlisted service provider in any country is notguaranteed. Although the technology and bands may overlap, many variables, such ascarrier, SIM card, and certification, must be taken into consideration for reliableoperation. Fortinet VARs (Value Added Resellers and Distributors) must confirmcompatibility prior to placing a customer order.



SIM mapping

A Public Land Mobile Network (PLMN) is a combination of wireless communication services offered by aspecific operator in a specific country. A PLMN is identified by a globally unique PLMN code, which consists of aMobile Country Code (MCC) and a Mobile Network Code (MNC).

FortiExtender uses a PLMN list to identify the carrier of the SIM cards you are using.

You can also use the following commands to add customized entries to the PLMN list to support the SIMs ofunlisted carriers, or create a new PLMN list of any listed carrier:

FX201E5919000035 # config lte simmapFX201E5919000035 (simmap) # showconfig lte simmapend

FX201E5919000035 (simmap) # edit 1FX201E5919000035 (1) <M> # set mcc 332FX201E5919000035 (1) <M> # set mnc 321

FX201E5919000035 (1) <M> # set carrier

FX201E5919000035 (1) <M> # next

FortiExtender automatically switches its modem firmware based on the carrier andtechnology you are using. If the carrier can’t be identified or is unlisted, the genericfirmware is used. The generic firmware works with most carriers.To help FortiExtender recognize the correct carrier name, you can add the MCC andMNC to the configuration file, but this isn’t required normally.

Add a data plan and APN

You must have an Access Point Name (APN) to establish a Packet Data Network (PDN) connection with awireless carrier. For this reason, an APN is a required component in an LTE data plan configuration. In mostcases, your SIM card comes with the carrier's APN, which is retrieved automatically at first connection fromFortiExtender. If it doesn't or you are not sure what it is, you must find it out from your carrier and add it whencreating a data plan.

Use the following commands to create a data plan:

config lte planedit <plan name>set modem all

set type by-defaultset apn <carrier apn>

nextend

A PDN can’t be established without a valid APN. Always be aware of the APN of theSIM card you are using. If you are not sure, contact your network service provider (NSP)for assistance.



Global SIM with roaming on

FortiExtender must always run on the modem firmware compatible with the native wireless operator’s SIM.However, this does not apply to roaming operators because roaming agreements require that roaming serviceproviders consider all data service requests. For this reason, there is no need to adjust the configuration forroaming.

SIM-switch

SIM-switching can be configured by data plan, disconnect settings, signal strength, coupled with switch back bytime or by timer. All these options are under the renamed “Auto switch” setting.

FortiExtender comes with two SIM-card slots per modem, with the first one (i.e., sim1) being the default. SIM-switch works only when you have two SIM cards installed on a FortiExtender device with the feature enabled onit. SIM-switch is disabled by default, you can enable it using the following commands:

config auto-switchset by-disconnect disableset by-signal disableset by-data-plan disableset switch-back

end

With SIM-switch enabled, FortiExtender automatically switches to sim2 to maintain the current LTE connectionwhen any of the following situations occurs:

l An Internet session gets disconnected. By default, FortiExtender automatically switches to sim2 if sim1gets disconnected for three times within 600 seconds. You can change the values using the followingcommands:

config lte setting modem1config auto-switch

set by-disconnect enable /*enable the switch by disconnect feature*/set disconnect-threshold <3> /*Number of disconnects for sim-switch*/set disconnect-period <600> /*Disconnect evaluation period for simswitch*/

endend

l Data usage has exceeded the set limit of your data plan and overage is disabled. By default, overage isdisabled. SIM-switch does not occur if overage is enabled. You can use the following commands to set thecapacity of your data plan and enable or disable overage:

config lte setting modem1config auto-switch

set by-signal enable /*enable the switch by signal feature*/set by-data-plan enable /*enable the switch by data usage feature*/

endendconfig lte plan

edit <plan>set capacity <data plan in MB>set billing-date <billing date>set overage {enable | disable}set signal-threshold <-100> /*RSSI to be evaluated*/set signal-period <600> /*Signal evaluation time in seconds*/



next

l The relative signal (RSSI value) stays lower than the specified value for a major part of the time perioddefined. By default, the RSSI value is -100, and the time period is 600 seconds. This means that SIM-switch occurs if the RSSI value stays below -100 for more than 300 seconds.

RSSI Values and LED State

RSSI LED-1 LED-2 LED-3 LED-4

0, or N/A, or 'rssi<=-100' OFF OFF OFF OFF

-90~-81 ON OFF OFF OFF

-80~-71 ON ON OFF OFF

-70~-61 ON ON ON OFF

rssi>=-60 ON ON ON ON

SIM-switch is a feature in data plan configuration which can be configured fromFortiExtender Cloud and/or locally from the GUI. It can't be configured in FortiGate. Allthe three aforementioned parameters can be configured from the FortiExtender CLI.

SIM switch-back

Following a fail-over, FortiExtender is able to fail back to the preferred SIM card according to userconfiguration.

To enable SIM switch-back:

FX211E5919000006 (auto-switch) # showconfig lte setting modem1 auto-switch

set switch-back [by-time | by-timer]end

Parameter Description

by-time Switch over to the preferred SIM card/carrier at a specified (UTC) time (in the format ofHH:MM).

by-timer

Switch over to the preferred SIM/carrier after the given time (from 3600 to 2147483647seconds).

Get modem status

You can use the following command to get your modem status:

X201E5919002499 # get modem statusModem status:



modem : Modem1usb path : 2-1.2 (sdk 0)vender : Sierra Wireless, Incorporatedproduct : Sierra Wireless, Incorporatedmodel : EM7455SIM slot : SIM1revision : SWI9X30C_02.32.11.00 r8042 CARMD-EV-FRMWR2 2019/05/15 21:52:20imei : 359073065340568iccid : 8933270100000296108imsi : 208270100029610pin status : enablepin code : 0000carrier : 436627|coriolis|EUAPN : N/Aservice : LTEsim pin (sim1) : 3 attempts leftsim puk (sim1) : 10 attempts leftrssi (dBm) : -68signal_strength : 64ca state : ACTIVEcell ID : 00A25703band : B7band width : 20sinr (dB ) : 7.4rsrp (dBm) : -99rsrq (dB ) : -13.1plan_name : coriolis100Gconnect_status : CONN_STATE_CONNECTEDreconnect count : 0smart sim switch : disabledup time (sec) : 26670clock (UTC) : 20/05/27,20:08:33+08temperature : 60activation_status : N/Aroaming_status : N/ALatitude : 37.376281Longitude : -122.010817

CAPWAP on multiple ports for broadcast discovery

Starting from Version 4.2.1, FortiExtender is able to discover FortiGate on multiple interfaces. It sendsdiscovery messages on multiple ports (port1, port2, and port3, and port4), one at a time, until it hassuccessfully connected with a FortiGate on a link.

config system management fortigateset ac-discovery-type broadcastset ac-ctl-port 5246set ac-data-port 25246set discovery-intf lan port4set ingress-intf

end



By default, it starts the discovery process with the LAN ports (from port1 through port3) first. If it fails toestablish a connection after several attempts, it will move on to port4. If it fails on port4, it will go back to theLAN ports and start the process all over again.

A LAN interface has a static IP of 192.168.200.99 and a DHCPServer IP of192.168.200.110~192.168.200.210. We recommend connecting to the WAN port on FortiGate for ZTP.

The port4 interface is set for DHCPmode, and must be connected to the internal port on FortiGate to obtain anIP address for the CAPWAP tunnel, which is the same as in previous versions.

Stopping data traffic on overgaged LTE interface

When an LTE interface has breached it data usage limit, FortiExtender will stop forwarding outgoing traffic(except for management traffic) to that interface. The following types of traffic are affected:

l NATted trafficl VPN data traffic on IPsec Tunnel based on the overaged LTE interfacel VWAN traffic on a VWANmember based on the overaged LTE interface. (The VWANmember is marked

as invalid, and traffic will be diverted to other valid VWANmembers.)l IP-passthrough traffic


Modes of operation

Modes of operation

Depending on the way it is managed, FortiExtender can operate in IP pass-through or NAT mode(s):

Management scenario

Mode of operation

NAT IP Pass-through

FortiGate No Yes

FortiExtender Cloud Yes Yes

Local Yes Yes

This section covers the following topics:

l IP pass-through mode on page 16l NAT mode on page 18l get extender status on page 19

IP pass-through mode

In IP pass-through mode, FortiExtender distributes the WAN IP address provided by the NSP to the devicebehind it. It can be managed from FortiGate, FortiExtender Cloud, or locally as a stand-alone device.

It is important to note that IP pass-through mode is the only mode of operation formanaging FortiExtender from FortiGate.

Enable IP pass-through mode with FortiGate management

# config system management(management) # set discovery-type fortigate(management) # end

#

FX201E5919000027 (fortigate) # showconfig system management fortigate

set ac-discovery-type broadcastset ac-ctl-port 5246set ac-data-port 25246set discovery-intf lan port4set ingress-intf

end

ac-discovery-type specifies the way in which FortiGate and FortiExtender discover each other. It can bestatic or broadcast. When it is static, the IP of FortiGate should be set as the value of static-ac-ip-addr.


Modes of operation

ac-ctl-port and the ac-data-port define the UDP port used by the control channel and the datachannel.

discovery-intf specifies the physical ports from which FortiExtender sends broadcast packets in searchfor FortiGate.

ingress-intf defines the interface connected to FortiGate.

Enable IP pass-through mode from FortiExtender Cloud

You can also enable IP pass-through mode from FortiExtender Cloud using the following commands, and thencreate a profile with IP pass-through enabled, as illustrated below.

# config system management(management) # set discovery-type cloud(management) # end

#


Modes of operation

Enable IP pass-through mode for local setup and management

FortiExtender can be used as a stand-alone device, without integration with FortiGate or FortiExtender Cloud.In this scenario, all configuration is done locally on the FortiExtender device. We call this mode of operation"local" mode.

You can enable IP pass-through in local mode using the following commands:

# config system management(management)# set discovery-type local(management) <M># config local(local)# set mode ip-passthrough

NAT mode

The LAN port on FortiExtender can support multiple devices (e.g., PCs, printers, etc.) in NAT mode . In thismode, FortiExtender works as a gateway of the subnet behind it to forward traffic between the LAN and theLTEWAN.

The following features are supported in NAT mode:

l Interface management on page 20l DHCP configurationsl System routing on page 34l Configure PBR routing on page 35l Firewalls on page 39l VPN on page 43l Health monitoring on page 52

Local mode

FortiExtender can be used as a stand-alone device, without integration with FortiGate or FortiExtender Cloud.In this scenario, all configuration is done locally on FortiExtender. We call this mode of operation "local" mode.You can use IP pass-through or NAT when managing FortiExtender locally.

To configure FortiExtender in local mode:

config system managementset discovery-type localconfig local

set mode ip-passthroughend

end

FortiExtender and FortiGate share the same LTE IP in WAN-extension mode. In pre-4.2.2 releases,FortiExtender does not allow access to ssh/https/http/telnet service via the LTE interface, so all the traffic tothose default service goes to FortiGate. FortiExtender 4.2.2 adds local ssh/https/telnet/http service support viathe LTE interface. To distinguish local services from FortiGate services, you must configure FortiExtender to


Modes of operation

use different ports. Otherwise, all traffic to these default services will be sent to FortiExtender locally instead ofFortiGate.

To configure FortiExtender local ssh/https/http/telnet service support via the LTE interface:

config system managementconfig local-access

set https 22443set ssh 2222

endend

get extender status

You can configure or manage FortiExtender from FortiGate, FortiExtender Cloud, or locally. If you are not sure"who" is your FortiExtender's controller, use the following command to find out:

FX201E5919002499 # get extender statusExtender Status

name : FX201E5919002499mode : CLOUDfext-addr : 192.168.2.1fext-wan-addr : 10.102.116.241controller-addr : fortiextender-dispatch.forticloud.com:443deployed : truemanagement-state : CWWS_RUNbase-mac : 04:D5:90:57:4F:77network-mode : natfgt-backup-mode : backupdiscovery-type : clouddiscovery-interval : 5echo-interval : 30report-interval : 30statistics-interval : 120mdm-fw-server : fortiextender-firmware.forticloud.comos-fw-server : fortiextender-firmware.forticloud.com


Interface management


FortiExtender 201E and 211E each come with one WAN interface, one LTE interface, and four LAN interfaces.By default, FortiExtender 201E and 211E running on FortiExtender OS 4.2.2 come with the following networksettings:

l port1, port2, and port3 are part of the LAN switch with the static IP address of 192.168.200.99/24; a DHCPserver also runs on the LAN switch interface with an IP range from 192.168.200.110 to 192.168.200.210and the default gateway IP of 192.168.200.99.

l port4/POE port is independent (as a DHCP client).

The table below describes the CLI commands used to configure the system interface.

CLI command Description

config system interface Enters system interface configuration mode.

edit <interface_name> Specify or edit interface name (lan, lo, lte1 or wan).

set type <type> Select the interface type:l lan-switch—LAN interface (Can be edited only).l physical—LAN interface (Can be edited only).l lte—LTE interface (Can be edited only).l loopback—Loopback interface (Can be edited only).l tunnel—Tunnel interface (Can be created, edited, or deleted).l virtual-wan—Virtual WAN interface (Can be created, edited, or

deleted).

set status {up | down} Specify the interface state:l up—Enabled.l down—Disabled.

set mode {static | dhcp} Set the interface IP addressing mode:l static—If selected, FortiExtender will use a fixed IP address to

connect to the Internet. See set ip <ip> below.l dhcp—If selected, FortiExtender will work in DHCP client mode.

set ip <ip> (Applicable only when IP addressing mode is set to "static".) Specify anIPv4 address and subnet mask in the format: x.x.x.x/24

set gateway <gateway> Set an IPv4 address for the router in the format: x.x.x.x

set mtu <mtu> Set the interface's MTU value in the range of 0–4294967295.

allowaccess {ping | http| https | telnet}

Select the types of management traffic allowed to access the interface:l ping—PING access.l http—HTTP access.l https—HTTPS access.l telnet—TELNET access.



Interface configuration guideline

The following are the general guidelines regarding system interface configurations.

Physical interface(s)

FortiExtender LAN interface(s) can be configured in DHCP or static IP addressing mode. When FortiExtender isin NAT mode, you can also configure a DHCP server to distribute IP addresses from the FortiExtender physicalEthernet interface to the devices behind it.

FortiExtender-201E also comes with a WAN physical interface.

LTE interface

The LTE interface only works in DHCPmode and acquires IP addresses directly from wireless NSPs. SeeCellular capabilities on page 9.

Tunnel interface

Tunnel interfaces are automatically created when IPsec VPN Tunnels are created. A tunnel interface is a Layer-3 interface which doesn’t have an IP address. All traffic sent to the tunnel interface is encapsulated in a VPNtunnel and received from the other end point of the tunnel. It can be used by firewall, routing, and SD-WAN, butcannot be used by VPN.

Virtual-WAN interface

A Virtual-WAN interface is an aggregation of multiple up-links. It works as a common interface because alltraffic to it is load-balanced among multiple links.

It can be used by firewall, routing, but cannot be used by SD-WAN or VPN.

LAN interface configuration example:

# config system interface(interface) # edit lan

(lan) # set type physical(lan) # set status up(lan) # set mode static(lan) # set ip 192.168.2.1/24(lan) # set mtu 1400(lan) # set allowaccess http ping telnet(lan) # end

WAN interface configuration example:

FX211E5919000009 # config system interfaceFX211E5919000009 (interface) # edit wan



FX211E5919000009 (wan) # showedit wan

set type physicalset status upset mode dhcpset mtu-override enableset mtu 1500set vrrp-virtual-mac enableconfig vrrp

set status disableendset allowaccess

next

FX211E5919000009 (wan) # set allowaccesspinghttptelnetsshhttps

FX211E5919000009 (wan) #

Access allowance

Both the physical and the LTE interfaces can be configured with access allowance to allow the administrator toaccess FortiExtender using the following tools:

l SSHl Telnetl pingl HTTPl HTTPS

Access allowance doesn’t apply to a tunnel or Virtual-WAN interface.

Access from the LTEWAN side is not supported. If you need to manage FortiExtendervia LTE, you must use FortiExtender Cloud.

Get interface status

Use the following command to get system interface status:

get system interface



= [ lo ]name: lo status: online/up/link up type:loopback mac: 00:00:00:00:00:00 mode: static ip:127.0.0.1/8 mtu: 65536 gateway: 0.0.0.0== [ lte1 ]name: lte1 status: online/up/link up type:lte mac: d2:82:f4:b7:db:27 mode: dhcp ip:10.220.139.33/30 mtu: 1500 gateway: 10.220.139.34 dns:172.26.38.1== [ lan ]name: lan status: online/up/link up type:physical mac: 70:4c:a5:fd:1a:da mode: static ip:192.168.2.1/24 mtu: 1500 gateway: 0.0.0.0== [ vwan1 ]name: vwan1 status: online/up/link up type:virtual-wan mac: d2:10:5f:ed:71:e8 mode: static ip:0.0.0.0/0 mtu: 1364 gateway: 0.0.0.0== [ fcs-0-phase-1 ]name: fcs-0-phase-1 status: online/up/link up type:tunnel mac: 00:00:00:00:00:00 mode: static ip:0.0.0.0/0 mtu: 1364 gateway: 0.0.0.0== [ fcs-1-phase-1 ]name: fcs-1-phase-1 status: online/up/link up type:tunnel mac: 00:00:00:00:00:00 mode: static ip:0.0.0.0/0 mtu: 1364 gateway: 0.0.0.0

Configure LAN switch

FortiExtender-201E comes with four LAN ports (i.e., Ports 1–4) which are part of a LAN switch. These ports canbe separated from the LAN switch to run on different IP subnets as well.

To display the current LAN switch configuration:

FX211E5919000011 # config system lan-switchFX211E5919000011 (lan-switch) # config portsFX211E5919000011 (ports) # showconfig system lan-switch ports

edit port1nextedit port2nextedit port3nextedit port4next

end

To remove Port 4 from the LAN switch:

FX211E5919000011 (ports) # delete port4FX211E5919000011 (ports) <M> # nextFX211E5919000011 (ports) # show



config system lan-switch portsedit port1nextedit port2nextedit port3next

end

To add Port 4 back to the LAN switch:

FX211E5919000011 (ports) # showconfig system lan-switch ports

edit port1nextedit port2nextedit port3next

end

Example LAN switch configuration

FX211E5919000011 (ports) # edit port4FX211E5919000011 (port4) <M> # nextFX211E5919000011 (ports) # showconfig system lan-switch ports

edit port1nextedit port2nextedit port3nextedit port4next

end

Configure switch interface

A software switch is a virtual switch that is implemented at the software or firmware level. It can be used tosimplify communication between devices connected to different FortiExtender interfaces. For example, using asoftware switch, you can place the FortiExtender interface connected to an internal network on the samesubnet as your other virtual interfaces, such as VXLAN, aggregate interfaces, and so on.

Similar to a hardware switch, a software switch functions like a single interface. It has an IP address, and all theinterfaces in the software switch are on the same subnet. Traffic between devices connected to each interfaceis not regulated by security policies, while traffic passing in and out of the switch is controlled by the samepolicy.

When setting up a software switch, consider the following:



l Ensure that you have a backup of your configuration.l Ensure that you have at least one port or connection, such as the console port, to connect to the

FortiExtender unit. This ensures that, if you accidentally combine too many ports, you have a way to undothe error.

l The ports that you include must not have any link or relation to any other aspect of the FortiExtender unit,such as DHCP servers, security policies, and so on.

To create a software switch on the GUI:

1. Go to Networking > Switch Interface.2. ClickCreate Switch-Interface.3. Configure the name, interface members, and all the other required fields.4. ClickSave.

To create a software switch in the CLI:

config system switch-interfaceedit <interface>

set members <interface_list>set span enable | disable

nextend

Upon execution of the above commands, the following configuration will be automatically generated:

config system interfaceedit <interface>

set type switchset status down

nextend

You can update the IP, allowaccess, and the other configurations based on the switch interface. And thisinterface can also be used in configuring the DHCP server, firewall policies, routes, and some other modules.

Configure VXLAN interface

VXLAN encapsulates OSI Layer-2 Ethernet frames within Layer-3 IP packets using the standard destinationPort 4789. VXLAN endpoints, known as VXLAN tunnel endpoints (VTEPs), terminate VXLAN tunnels which canbe virtual or physical switch ports.

To add a VXLAN interface from GUI:

1. Go to Networking>VXLAN.2. ClickCreate VXLAN.3. Configure the name, VNI, remote IP, local IP, and dstport.4. ClickSave.



l The local IP must be an IP address of one o your system interfaces.l The VNI must be unique on every single local IP.l The destination port is 4789 by default. The valid range is 1—16777215.

To configure VXLAN from the CLI:

config system vxlanedit <vxlan>

set vni <vni>set remote-ip <remote ip>set local-ip <local ip>set dstport 4789

nextend

Upon execution of the above commands, the following configuration will be automatically generated:

edit vxlan1set type vxlanset status downset mode static

end

You can change the IP, allowaccess, mode, and some other configurations based on this VXLAN interface.

Aggregate interface support with load-balancing

Interfaces of the same type can be aggregated into a virtual aggregate interface as its members. Amember ofan aggregate interface can be monitored by HMON. Amember is considered as healthy if its link is up andmarked as ALIVE by HMON. Only a healthy member could be considered as a candidate for sending andreceiving packets.

Interfaces are aggregated in either of the following ways:

l Active backup—Only one member of the aggregate interface is active to send and receive packets at atime. One member should be designated as the primary and the others as secondary. If the primarymember is healthy, it should be chosen as the active member. Otherwise, another healthy member mustbe chosen instead. Once the primary member becomes healthy again, it will take over the traffic.

l Load balance—All healthy members are active for sending and receiving packets. Packets are sent overactive members based on the round-robin algorithm at the same time. Packets originated from the samesource follow the same path.

Once an interface becomes a member of an aggregate interface, it must not be used for firewall and PBR. Theaggregate interface must be used instead.

To create an aggregate interface in the GUI:

1. Go to Networking>Aggregate Interface.2. ClickCreate Aggregate Interface.3. Configure the ID, Mode, and Mapping timeout if mode is set to load balance.4. ClickCreate Member.



5. Configure the Name, Interface, Weight/Role, HealthCheck, HealthCheckFailCount, andHealthCheckRecoveryCount

To create an aggregate interface the CLI:

A table is added to /config/system to represent interface aggregations. Each table entry indicates anaggregate interface to be created and one or more interfaces can be aggregated under this aggregateinterface.

The following code shows the configuration of two aggregate interfaces in active backup and load-balancemode:

config system aggregate-interfaceedit agg1

set mode loadbalanceset mapping-timeout 60config members

edit 1set interface vx2set health-check-event vxlanset health-check-fail-cnt 5set health-check-recovery-cnt 5

nextedit 2

set interface vx3set health-check-eventset health-check-fail-cnt 5set health-check-recovery-cnt 5

nextend

nextedit agg2

set mode activebackupconfig members

edit 1set interface wanset role primaryset health-check-eventset health-check-fail-cnt 5set health-check-recovery-cnt 5

nextedit 2

set interface port4set role secondaryset health-check-eventset health-check-fail-cnt 5set health-check-recovery-cnt 5

nextend

nextend

Following configuration will be automatically generated:

config system interfaceedit agg1



set type aggregateset status down

nextedit agg2

set type aggregateset status down

nextend

You can update the IP, allowaccess, and other configurations based on the aggregate interface. And thisinterface can also be used in configuring the DHCP server, firewall policies, routes, and some other modules.

To get the aggregate interface status:

# get system aggregate-interface statusagg2:

2(port4): linkdown UNKNOWN aggregated1(wan): linkup UNKNOWN aggregated active

agg1:2(vx3): linkup UNKNOWN aggregated active1(vx2): linkup ALIVE aggregated active


DHCP configurations

DHCP configurations

FortiExtender supports DHCP server and DHCP relay. The following sections discuss how to configure theDHCP server and DHCP relay. respectively.

l Configure DHCP serverl Configure DHCP relay

Configure DHCP server

You can configure the DHCP server from FortiExtender Cloud or locally while the device is set in NAT mode.

To configure the DHCP server, change the IP address of the LAN interface to the correct subnet, and thencreate the DHCP server subnet using commands described in the table below.


config system dhcpserver Enters DHCP server configuration mode.

edit <name> Specify the name of the DHCP server.

set status {enable |disable | backup}

Set the DHCP server status:l enable—Enable the DHCP server.l disable—Disable the DHCP server.l backup— Enable in VRRP backup mode. (Note: The DHCP server is

launched only when the VRRPmaster goes down.)

set lease-time <lease_time>

Specify the DHCP address lease time in seconds. The valid range is 300–8640000. 0 means unlimited.

set dns-service {local |default | specify | wan-

dns}

Select one of the options for assigning a DNS server to DHCP clients:l local—The IP address of the interface of the DHCP server that is

added becomes clients' DNS server IP address.l default—Clients are assigned the FortiExtender configured DNS

server.l specify—Specify up to three DNS servers in the DHCP server

configuration.l wan-dns—The DNS of the WAN interface that is added becomes

clients' DNS server IP address.

set dns-server1 <dns_server1>

Specify the IP address of DNS Server 1.






DHCP configurations


set ntp-service {local |default | specify}

Select an option for assigning a Network Time Protocol (NTP) server toDHCP clients:l local—The IP address of the interface of the DHCP server that is

added becomes clients' NTP server IP address.l default—Clients are assigned the FortiExtender configured NTP

servers.l specify—Specify up to three NTP servers.

set ntp-server1 <ntp_server1>

Specify the IP address of NTP Server 1.





set default-gateway<gateway>

Specify the default gateway IP address assigned by the DHCP server.

set netmask <netmask> Specify the netmask assigned by the DHCP server.

set interface<interface>

Specify the interface on which the DHCP server is expected to run.

set start-ip <start_ip> Specify the start IP address of the DHCP IP address range. For example,192.168.1.100.

set end-ip <end_ip> Specify the end IP address of the DHCP IP address range. For example,192.168.1.120.

Example DHCP server configuration:

config system dhcpserveredit dsl

set status enableset lease-time 8640000set dns-service specifyset dns-server1 8.8.8.8set dns-server2 8.8.4.4set dns server3set ntp-service localset default-gateway 192.168.2.1set netmask 255.255.255.0set interface LANset start-ip 192.168.2.2set end-ip 192.168.2.254set mtu 1500set reserved-address enable

nextend

FortiExtender LAN interface(s) can be configured in static IP address mode locally or from FortiExtender Cloud.By default, the LAN interface has the IP address of 192.168.2.1/24 and can run a DHCP server servingaddresses from 192.168.2.2. You can enable the management of LAN-side capabilities from FortiExtenderCloud.


DHCP configurations

FortiExtender supports DHCP server with reserved addresses. To take advantage of this feature, you must dothe following:

1. Enable the set reserved-address option, as shown above.2. Configure the system DHCP-reserved-address using the following commands:

edit 1set ip <preferred host IP>set mac <mac address of host>set action <reserved | blocked>

end

l set action reserved ensures that the same IP is assigned to the host witha matching MAC address.

l set action disabled ensures that the host with a given MAC address is notassigned an IP address.

Configure DHCP relay

FortiExtender supports DHCP relay agent which enables it to fetch DHCP leases from a remote server. It has tobe configured per interface. Example below:

config system dhcprelayedit 1

set status enableset client-interfaces <interface name on which relay agent services are

offered>set server-interface <interface name through which DHCP server can be

reachable>set server-ip <remote dhcp server IP>


Network utilities

Network utilities

You can define your network from the following aspects:

l Address on page 32l Service on page 32l Target on page 32

Address

Addresses are used to define the networking nodes in your network. An address can be a subnet, a single IPaddress, or a range of IP addresses. With addresses, you can define the source and destination of networktraffic.

Service

Service defines traffic type, such as HTTP, FTP, etc. It consists of a protocol and the destination port.

For example:

config network serviceconfig service-custom

edit ALLset protocol IPset protocol-number 0

nextend

end

Target

Target is the network connected to FortiExtender. It is usually an up-link network, such as an NSP networkprovided by a wireless carrier. A target consists of an outgoing interface and a next hop. Targets are alwaysused in routing systems and SD-WANs to define the destination network to which traffic is sent.

The table below describes the commands for setting a target.


config router target Enters target configuration mode.

edit <name> Specify the target network.


Network utilities



Specify the outgoing interface of the gateway.

set next-hop <next_hop> Specify the IP address of the next-hop gateway.

Example target configuration:

# get system interface== [ lo ]name: lo status: online/up/link up type: loopback mac:00:00:00:00:00:00 mode: static ip: 127.0.0.1/8 mtu: 65536gateway: 0.0.0.0== [ eth1 ]name: eth1 status: online/up/link up type: lte mac:9a:fd:56:f1:1a:08 mode: dhcp ip: 10.118.38.4/29 mtu: 1500gateway: 10.118.38.5 dns: 172.26.38.1== [ nas1 ]name: nas1 status: online/up/link up type: physical mac:70:4c:a5:fd:1b:38 mode: dhcp ip: 172.24.236.22/22 mtu: 1500gateway: 172.24.239.254 dns: 172.30.1.105, 172.30.1.106# config router target(target) # edit target.lte(target/lte) <M> # abort(target) # edit target.lte(target.lte) <M> # set interface eth1(target.lte) <M> # set next-hop 10.118.38.5(target.lte) <M> # next(target) # end

A target is automatically created when an LTE is connected, with the LTE as theoutgoing interface and the gateway as the next hop. The next hop is not mandatory ifthe outgoing interface is a tunnel interface or a Virtual-WAN interface. For example:

edit target.fcs-1-phase-1set interface fcs-1-phase-1set next-hop

nextedit target.vwan1

set interface vwan1set next-hop

next


System routing

System routing

FortiExtender 4.2.2 supports static routing and Policy Based Routing (PBR). Dynamic routing, such as OSPF,ISIS, and EIGRP, is not supported in this release.

Both static routing and PBR apply to NAT mode only.

This section covers the following topics:

l Configure static routing on page 34l Configure PBR routing on page 35l View routing configurations on page 36l Move PBR rules on page 37

Configure static routing

The table below describes the commands for configuring static routing.


config router static Enters static route configuration mode.

edit <name> Specify the name of the static route.

set status {enable |disable}

Set the status of the static route:l enable—Enable the static route.l disable—Disable the static route.

set dst <dst> Specify the destination IP address and netmask of the static route in theformat: x.x.x.x/x

set gateway <gateway> Specify the IP address of the gateway.

set distance <distance> Specify the administrative distance. The range is 1–255. The default is 1.

set device <device> Specify the name of the outgoing interface.

set comment [comment] Enter a comment (optional).

Example static route configuration:

config router staticedit 1

set status enableset dst 0.0.0.0/0


System routing

set gateway 192.168.2.1set distance 5set device lanset comment

nextEnd

Configure PBR routing

The table below describes the commands for configuring Policy Based Routing (PBR).

CLI Command Description

config router target Enters target configuration mode.

edit <name> Specify the name of the target.


Specify the outgoing interface or tunnel.

set next-hop <next_hop> Specify the IP address of the next-hop gateway .

Example PBR configurations:

config router target

edit target.lanset interface lan

set next-hop 192.168.10.99nextedit target.vwan1

set interface vwan1set next-hop

next

Example PBR policy configuration:

config router policyedit vwan1-pbr

set input-device /* Incoming interface name.size[35] - datasource(s): system.interface.nameset src 192.168.2.0/24 /* Source IP and mask forthis policy based route rule.set srcaddr /* Source addressset dst /* Destination IP and maskfor this policy based route rule.set dstaddr /* Destination addressset service /* Service and servicegroup names.set target /* This PBR's out-goinginterface and next-hop.set status enable /* Enable/disable thispolicy based route rule.set comment /* Optional comments. size


System routing

[255]next

end

View routing configurations

Use the following commands to view routing configurations.

View routing targets:

get router info target== [ target.lo ]device : lonext-hop : 0.0.0.0route type : automaticrouting-table : target.lo.rt.tblreference counter : 0

== [ target.lan]device : lannext-hop : 192.168.10.99route type : automaticrouting-table : target.lan.rt.tblreference counter : 0

== [ target.vwan1 ]device : vwan1next-hop : 0.0.0.0route type : automaticrouting-table : target.vwan1.rt.tblreference counter : 0

View PBR configurations:

get router info policy== [ vwan1-pbr ]seq : 100status : enableinput-interface :src : 192.168.2.0/24src-addr :dst :dst-addr :service :target : target.vwan1routing-table : target.vwan1.rt.tblcomment :

View routing tables:

get router info routing-table allCodes: K - kernel, C - connected, S - static* - candidate default


System routing

* 0.0.0.0/0 is the default routing.

Move PBR rules

You can use the move command to change the order of the PBR rules you've created.

In the following example, you have created two policy rules:

config router policyedit one

set input-device nas1set srcaddrset dstaddr allset serviceset target target.loset status enableset comment

nextedit two

set input-device loset srcaddrset dstaddrset serviceset target target.eth1set status enableset comment

next

If you want to move policy one after two, you can use either of the following commands:

move one after two

or

move two before one

Configure multicast routing

FortiExtender is capable of running PIM-SM to discover terminal devices which can join multicast routinggroups accordingly. Other than supporting multicasting routing directly on LTEWAN links (mostly for privatenetworks), this feature can also be used to run on top of IPSEC interfaces of FortiExtender to enable privateand secure multicast routing.

FX201E5919000012 # config router multicastFX201E5919000012 (multicast) # showconfig router multicast

config pim-sm-globalset join-prune-interval 60


System routing

set hello-interval 30config rp-address

edit 1set address 169.254.254.1set group 224.0.0.0/4

nextend

endconfig interface

edit lannextedit fexnext

endend

Multicasting network topology


Firewalls

Firewalls

Firewalls allow you to control network access based on Layer-3 or Layer-4 information. Also, SNAT is providedto perform Source Net Address Translation.

Firewall configuration involves the following tasks:

l Configure address/subnet on page 39l Configure protocol/port range on page 39l Configure firewall policies on page 40l Move firewall policies on page 41

Configure address/subnet

Use the following commands to specify the IP address/subnet to which you can apply firewall policies.


config network address Enters network IP address configuration mode.

edit <name> Specify the name of the IP address configuration object.

set type {ipmask |iprange}

Select either address type:l ipmask—IPv4 address/mask in the format: x.x.x.x/xl iprange—IP addresses range.

Example address/mask configurations:

config firewall addressedit internet

set type ipmaskset subnet 0.0.0.0/0

nextedit src

set type iprangeset start-ip 192.168.2.3set end-ip 192.168.2.4

nextend

Configure protocol/port range

Use the following commands to specify the network protocols and ports to which you want to apply firewallpolicies.


Firewalls


config network serviceservice-custom

Enters the network service configuration mode.

edit <name> Specify the name of the service configuration object.

set protocol <ProtocolType>

Specify the protocol (service).

set protocol number <0-255> *

Specify the protocol number (if you are not sure of the name of theprotocol).

set protocol udp-portrange

Specify the port range for UDP protocol.

set protocol tcp-portrange

Specify the port range for TCP protocol.

Example protocol/port range configurations:

config network service service-customedit service1

set protocol tcpset tcp-portrange 5000-5555

nextedit service2

set protocol udpset udp-portrange 6000-6350

nextedit service3

set protocol icmpnextedit service4

set protocol ipset protocol-number 47

nextend

Configure firewall policies

Once you have completed setting the IP addresses/mask and services (protocols)/port ranges you want tocontrol with firewall policies, you can then use the following commands to impose firewall policies on them.


config firewall policy Enters firewall policy configuration mode.

edit <name> Specify the name of the firewall configuration object.

set srcintf Specify the ingress interface.

set dstintf Specify the egress interface.


Firewalls


set srcaddr Specify the source IP address, which can be either a single IP address or arange of IP addresses.

set action {allow |deny}

Select either of the following actions:l allow—Allow access.l deny—Deny access.

set status {enable |disable}

Set the status of the policy:l enable—Enable the policy.l disable—Disable the policy.

set nat {enable |disable}

Select an option for NAT:l enable—Enable NAT.l disable—Disable NAT.

Example firewall policy configurations:

config firewall policyedit filter

set srcintf anyset dstintf anyset srcaddr recset dstaddr internetset action denyset status enableset service service1 service2 service3 service4set nat disable

nextend

The FortiExtender firewall is in White List mode, which blocks all traffic by default. Youmust create a policy to allow traffic into your network.

Move firewall policies

You can use the move command to change the order in which your firewall policies are applied.

In the following example, you have created two policy rules:

config firewall policyedit filter1

set srcintf anyset dstintf anyset srcaddr recset dstaddr internetset action denyset status enableset service service1 service2 service3 service4set nat disable


Firewalls

nextedit filter2

set srcintf lanset dstintf wanset srcaddr wowset dstaddr internetset action allowset status enableset service service1 service2 service3 service4set nat disable

nextend

If you want to move policy one after two, you can use either of the following commands:

move filter1 after filter2

or

move filter2 before filter1


VPN

VPN

FortiExtender uses IPsec VPN to connect branch offices to each other. It only supports the site-to-site VPNtunnel mode.

An IPsec VPN is established in two phases: Phase 1 and Phase 2.

Several parameters determine how this is done, except for IP addresses, the settings simply need to match atboth VPN gateways.

There are defaults that are applicable for most cases.

When a FortiExtender unit receives a connection request from a remote VPN peer, it uses IPsec Phase-1parameters to establish a secure connection and authenticate that VPN peer. Then, the FortiExtender unitestablishes the tunnel using IPsec Phase-2 parameters. Key management, authentication, and securityservices are negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration steps must be performed on both units:

l Define the Phase-1 parameters that the FortiExtender unit needs to authenticate the remote peer andestablish a secure connection.

l Define the Phase-2 parameters that the FortiExtender unit needs to create a VPN tunnel with the remotepeer.

l Create firewall policies to control the permitted services and permitted direction of traffic between the IPsource and destination addresses.

l Create a route to direct traffic to the tunnel interface.

Currently, FortiExtender only works in VPN client mode, be sure to keep the followinglimitations in mind when using this feature:l If both ends of the VPN tunnel are FortiExtender devices, they must operate in

NAT mode and use a static public IP address.l If the remote device is not FortiExtender, it must have a static public IP address

and can work in VPN server mode.

This section discusses the following topics:

l Configure VPN on page 43l Check VPN tunnel status on page 49l IPsec VPN support for third-party certificates on page 49

Configure VPN

VPN configurations include the following operations:

l Configure phase-1 parametersl Configure phase-2 parametersl Configure firewall policiesl Configure route


VPN

Configure phase-1 parameters

Use the following commands to configure a VPN tunnel.


ike-version Specify the IKE protocol version, 1 or 2.

keylife Specify the time (in seconds) to wait before the Phase-1 encryption keyexpires. The valid range is 20 –172800.

proposal Specify Phase-1 proposal.

Dhgrp Select one of the following DH groups:l 1l 2l 5l 14

*interface Use either of the following:l wanl eth1/lte1/lte2Note: The WAN interface is only available on 2xxE devices. The names ofthe LTE interfaces vary depending on the hardware, as explained below:l lte1 (for FEX-201E and 211E)

type Select a remote gateway type:l staticl ddns

*remote-gw Specify the IPv4 address of the remote gateway’s external interface.

*remotegw-ddns Specify the domain name of the remote gateway, e.g., xyz.DDNS.com.

authmethod Select an authentication method:l psk(pre-shared key)l signature

*psksecret Specify the pre-shared secret created when configuring the VPN client.

*certificate set certificate <local-cert-name> Specify the name of localsigned personal certificates. This entry is only available when authmethodis set to signature. You can enter the names of up to four signed personalcertificates for the FortiExtender unit. The certificates must have alreadybeen installed on the FortiExtender before you are trying to enter themhere.

*peer set peer <ca-cert-name> This is the name of the CA certificateused to constrain that the peer certificate is issued by it or its sub-CA. Thisentry is available only when authmethod is set to signature. The certificatesmust have already been installed on the FortiExtender before you are tryingto enter them here.Note: If no peer is set, the peer certificate can still be accepted as long as aCA certificate that can verify the peer certificate exists.


VPN


Localid Specify the local ID.

peerid Accept the peer ID.

A Phase-1 interface can be of two categories:

l A static remote VPN gateway with a fixed IP address.l ADDNSwith a dynamic IP address functioning as a dynamic DNS client.

A Phase-1 interface can support the following two authentication methods:

l psk (pre-shared key)l signature

When a psk is configured, the psksecretmust be configured as well. When signature is chosen, it usesthe default Fortinet certs for authentication. Signature mode only supports FortiGate or FortiExtender as aremote gateway.

A tunnel interface is created in the system interface list when an IPSec Phase-1 is successfully created.

Configure phase-2 parameters


phase1name The name of Phase-1 which determines the options required for Phase- 2.

proposal Phase-2 proposal.

pfs Select either of the following:l enablel disable

Dhgrp Phase-2 DH group.

keylife-type Key life type.

keylifeseconds Phase-2 key life time in seconds.Note: The valid range is 120—172800.

encapsulation ESP encapsulation mode

protocol Quick mode protocol selector.Note: The valid range is 1—255. 0 means for all.

src-addr-type Local proxy ID type. Select one of the following:l subnet— IPv4 subnetl range—IPv4 rangel ip—IPv4 IPl name— IPv4 network address name

src-subnet Local proxy ID subnet.Note: This field is only available when src-addr-type is set tosubnet.


VPN


src-start-ip Local proxy ID start.Note: This field is only available when src-addr-type is set to eitherrange or ip.

src-end-ip Local proxy ID end.Note: This field is only available when src-addr-type is set to range.

src-name Local proxy ID name.Note: This field is only available when src-addr-type is set to name.

src-port Quick mode source port.Note: The valid range is 1—65535. 0 means for all.

dst-addr-type Remote proxy ID type. Select one of the following:subnet— IPv4 subnetrange—IPv4 rangeip—IPv4 IPname— IPv4 network address name

dst-subnet Remote proxy ID subnet.Note: The field is only available when dst-addr-type is set tosubnet.

dst-start-ip Remote proxy ID start.Note: This field is only available when dst-addr-type is set to eitherrange or ip.

dst-end-ip Remote proxy ID end.Note: This field is only available when dst-addr-type is set to range.

dst-name Remote proxy ID name.Note: This field is only available when dst-addr-type is set to name.

dst-port Quick mode destination port.Note: The valid range is 1—65535. 0 means for all.

Example VPN configuration:

FX201E5919002631 # config vpn ipsec phase1-interfaceFX201E5919002631 (phase1-interface) #config phase1-interface

edit fcs-0-phase-1set ike-version 2set keylife 8000set proposal aes128-sha256 aes256-sha256 3des-sha256aes128-sha1 aes256-sha1 3des-sha1set dhgrp 14 5set interface eth1set type staticset remote-gw 34.207.95.79set authmethod psk


VPN

set psksecret HG709!ppA#dset localid FX04DA5918004527set peerid

nextendFX201E5919002631 # config network addressFX201E5919002631 (address) # show

config network addressedit local_subnetset type ipmaskset subnet 192.168.2.0/24

nextedit remote_subnet


nextendFX201E5919002631 # config vpn ipsec phase2-interfaceFX201E5919002631 (phase2-interface) #

edit fcs-0-phase-2set phase1name fcs-0-phase-1set proposal aes128-sha1 aes256-sha1 3des-sha1aes128-sha256 aes256-sha256 3des-sha256set pfs enableset dhgrp 14 5set keylife-type secondsset keylifeseconds 86400set encapsulation tunnel-modeset protocol 0set src-type nameset src-name local_subnetset src-port 0set dst-type nameset dst-name remote_subnetset dst-port 0

nextendFX201E5919002631 # config firewall policyFX201E5919002631 (policy) # showconfig firewall policy

edit to_remoteset srcintf lanset dstintf fcs-0-phase-1set srcaddr local_subnetset dstaddr remote_subnetset action acceptset status enableset service ALLset nat disable

nextedit from_remote

set srcintf fcs-0-phase-1set dstintf lanset srcaddr remote_subnetset dstaddr local_subnetset action accept


VPN

set status enableset service ALLset nat disable

nextendFX201E5919002631 # config router staticFX201E5919002631 (static) # showconfig router static

edit to_remoteset status enableset dst 192.168.10.0/24set gatewayset distance 1set device fcs-0-phase-1set comment

nextend

Configure firewall policies

You must define two ACCEPT firewall polices to permit communications between the source and destinationaddresses.

config firewall policyedit to_remote

set srcaddr <The address name for the private network behind this FortiExtenderunit>

set dstaddr <The address name that you defined for the private network behindthe remote peer>

set service ALLset nat disableset srcintf <The interface that connects to the private network behind this

FortiExtender unit>set dstintf <The VPN Tunnel (IPsec Interface)>set status enable

nextedit from_remote

set srcaddr <The address name that you defined for the private network behindthe remote peer>

set dstaddr <The address name for the private network behind this FortiExtenderunit>

set service ALLset nat disableset srcintf <The VPN Tunnel (IPsec Interface)>set dstintf <The interface that connects to the private network behind this

FortiExtender unit>set status enable

nextend


VPN

Configure static routes

All network traffic must have a static route to direct its traffic to the proper destination. Without a route, trafficwill not flow even if the firewall policies are configured properly. You may need to create a static route entry forboth directions of VPN traffic if your firewall policies allow bi-directional tunnel initiation.

config router staticedit to_remote

set status enableset dst <The address name that you defined for the private network behind the

remote peer>set gateway <Leave as default: 0.0.0.0>set distance <Leave this at its default>set device <The VPN Tunnel (IPsec Interface)>set comment

nextend

If there are other routes on the FortiExtender unit, you may need to set the distance onthis route so the VPN traffic will use it as the default route. However, this normallyhappens by default because this route is typically a better match than the genericdefault route.

Check VPN tunnel status

Use the following command to check your VPN tunnel status:

FX201E5919002631 # get vpn IPSec tunnel detailsfcs-0-phase-1: 0000002, ESTABLISHED, IKEv2, 94e21ce630f449a4_i* 07ca3af8b5fb4697_rlocal 'FX04DA5918004433' @ 100.64.126.36[4500]remote 'strongswan' @ 34.207.95.79[4500]AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048established 6850s ago, rekeying in 681s, reauth in 78404sfcs-0-phase-2: 0000002, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_

96installed 6850s ago, rekeying in 72384s, expires in 88190sin cc6b72b7 (0x00000002), 704506 bytes, 6034 packetsout c3e9cb25 (0x00000002), 673016 bytes, 7407 packets, 0s agolocal 192.168.2.0/24remote 192.168.10.0/24

IPsec VPN support for third-party certificates

FortiExtender now is able to use third-party CA certificates at phase 1 to verify identity of peers and to establishIPsec VPN tunnels.


VPN

Import third-party certificates

Import a third-party CA certificate:

l From the Console: execute vpn certificate ca import tftp <remote_file> <local_name> <ip>

l From the GUI: ChickVPN>VPN Certificate>CA Certificate>Import New Certificate.

Import a third-party Local certificate

l From the console: execute vpn certificate local import tftp <remote_file><local_name> <ip> <passwd>

l From the GUI: ClickVPN>VPN Certificate>Entity Certificate>Import New Certificate.

Use third-party certificates for IKE authentication

In 4.2.0, two new fields "certificate" and "peer" have been added to the phase1 interface entry. You can usethem to reference the imported third-party certificates. It is important to know that these fields are availableonly when "authmethod" is set to signature.

Certificate

You can reference the datasource "vpn.certificate.local".

For the name of local signed personal certificates, you can enter the names of up to four signed personalcertificates for the FortiExtender unit. You must have the certificated already installed on the FortiExtenderbeforehand to be able to enter them here.

Peer

You can reference the datasource "vpn.certificate.ca".

This is the name of the CA certificate used to constrain that the peer certificate is issued by it or its sub-CA. Thecertificates must have already been installed on the FortiExtender before you are able to enter them here.

If the peer is not set, the peer certificate can still be accepted as long as a CAcertificate that can verify the peer certificate exists.

Example for using third-party certificates for IKE authentication

config vpn ipsec phase1-interfaceedit vpn1

set ike-version 2set keylife 86400set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1


VPN

3des-sha1set dhgrp 14 5set interface nas1set type staticset remote-gw 192.168.137.106set authmethod signatureset certificate <local_cert_name> ==> new fieldset peer <ca_cert_name> ==> new fieldset localidset peerid

nextend


Health monitoring

Health monitoring

This section discusses how to monitor network interface status and perform health check on links. It covers thefollowing topics:

l Monitor interface status on page 52l Perform link health check on page 53l Configure health monitoring on page 55

Monitor interface status

Use the following commands to configure traffic monitoring on an interface.

CLI Command Description

*set interface<interface_name>

Specify the interface to be monitored.

set interval Specify the monitoring interval in seconds. The valid range is 1–3600. Thedefault is 30.

set filter {rx_bytes |tx_bytes | rx_packets | tx_packets | rx_dropped | tx_dropped | rx_bps |tx_bps | rx_pps |tx_pps}

Set the monitor filters on the interface:l rx_bytes—The number of bytes received.l tx_bytes—The number of bytes transmitted .l rx_packets—The number of packets received.l tx_packets—The number of packets transmitted.l rx_dropped—The number of incoming packets dropped.l tx_dropped—The number of outgoing packets dropped.l rx_bps—The number of bytes received per second.l tx_bps—The number of bytes transmitted per second.l rx_pps—The number of packets received per second.l tx_pps—The number of packets transmitted per second.

Example interface monitoring configuration:

config hmon interface-monitoringedit fcs-0-phase-1-mon

set interval 30set interface fcs-0-phase-1set filter rx_bytes tx_bytes

nextedit fcs-1-phase-1-mon

set interval 30set interface fcs-1-phase-1set filter rx_bytes tx_bytes

nextedit ifmon

set internal 30


Health monitoring

set interface lte1set filter rx_bytes tx_bytes

nextend

You can monitor the aforementioned configuration using the following commands:

X04DA5918004433 # get hmon interface-monitoring fcs-0-phase-1-mon

rx_bytes tx_bytes rx_packets tx_packets rx_dropped tx_dropped rx_bps tx_bpsrx_pps tx_ppsfcs-0-phase-1: 12.76MB 3.40MB 24878 210320 0 488b 968b 0 0

X04DA5918004433 # get hmon interface-monitoring ifmonrx_bytes tx_bytes rx_packets tx_

packets rx_dropped tx_dropped rx_bps tx_bpsrx_pps tx_ppslte1: 22.20MB 11.50MB 83137 722810 0 101.85Kb 21.14Kb 15 140

Perform link health check

Health checks can be performed on all types of links. The following example shows a health checkconfiguration on top of two IPSec VPN links, “fcs-0-phase-1” and “fcs-1- phase-1”, respectively.

Use hmon hchk to send probes to a specific target to measure:

l The maximum, minimum, or average latency for a given period.l The maximum, minimum, or average packet loss rate for a given period.l The latency variation (jitter) for a given period.

Paramerter Descriptions

protocol {ping | http| dns}

The protocol used for status check.

interval The monitoring interval in seconds. The valid value range is 1—3600; thedefault is 5.

probe-cnt The number of probes sent within the interval. The valid range is 1—10;the default is 1.

probe-tm The timeout for a probe in seconds. The valid value range is 1—10; thedefault is 2.

*probe-target The target to which a probe is sent.

port The port number used to communicate with the server. The valid valuerange is 165535; the default is 80.

http-get The URL used to communicate with the server. The default is /.


Health monitoring

Paramerter Descriptions

*interface The outbound interface of probe packets.

src-type {none |interface | ip}

Specify the way to set the source address for probes.

src-iface Set the source address as the address derived from the specified interface.

src-ip Set the source address as a specific IP.

filter {rtt | loss} Specify the desired filter.

Example health monitor health check configurations:

config hmon hchkedit fcs-0-phase-1-chk

set protocol pingset interval 5set probe-cnt 1set probe-tm 2set probe-target 34.207.95.79set interface fcs-0-phase-1set src-type interfceset src-iface lanset filter rtt loss

nextedit fcs-1-phase-1-chk

set protocol pingset interval 5set probe-cnt 1set probe-tm 2set probe-target 34.207.95.79set interface fcs-1-phase-1set src-type interfceset src-iface lanset filter rtt loss

nextend

You can get the health check status for the above configurations using the following command:

FX04DA5918004433 # get hmon hchk fcs-0-phase-1median rtt: avg max min now sd am/s

fcs-0-phase-1: 141.00ms 151.62ms 127.73ms 132.06ms 7.28ms 19.4packet loss: avg max min now

fcs-0-phase-1: 0% 0% 0% 0%

FX04DA5918004433 # get hmon hchk fcs-1-phase-1median rtt: avg max min now sd am/s

fcs-1-phase-1: 121.27ms 133.56ms 108.98ms 115.86ms 8.49ms 14.3packet loss: avg max min now

fcs-1-phase-1: 0% 0% 0% 0%


Health monitoring

Configure health monitoring

Health Monitoring or HMON is commonly used for monitoring network and system health status, in addition tonotifying subscribers of certain conditions which result in reporting collected statistics to FortiExtender cloud orFortiGate, respectively. One instance could involve data overage, another could be probing targets via ping orHTTP, and another could be checking link usability based on RTT or packet loss.

To configure interface monitoring:

config hmonconfig interface-monitoring

edit < interface specific monitor name >set interval <interval size in seconds, default:30>set interface <interfaces to monitor: lte1, lte2>set filter <interested fields: rx_bytes,tx_bytes,rx_packets,tx_packets,rx_

dropped,tx_dropped,rx_bps,tx_bps,rx_pps,tx_pps>next

end

To configure health check (which can be via ping, http,etc with specific intervals, timeouts andfilters on any specific interface or interfaces):

config hchkedit < health check type name >

set protocol <ping|http|dns, default: ping>set interval <interval size in seconds, default :30>set probe-cnt <probes to be sent within an intervalm default:1>set probe-tm <probe timeout, default:2>set probe-target <target to be probed>set interface <uplink interfaces on which probe has to be sent>set src-iface <interface whose source IP is to be used>set filter <rtt |loss>

nextend

end

To display interface statistics with a pre-configured filter of choice:

get hmon interface-monitoring <interface specific monitor name>

To display health check statistics:

get hmon hchk <health check type name>

To run health check monitor to display all the interface statistics:

execute hmon interface-monitoring <interface>

To run health check instance on a specific interface:

execute hmon hchk protocol ping -I <interface> <probe ip or url>


System management

Systemmanagement

This section discusses system management tasks. It covers the following topics:

l FortiGate-FortiExtender zero-touch provisioning (ZTP) on page 56l Get system version on page 56l Upgrade OS firmware on page 57l Upgrade modem firmware on page 58l SMS notification on page 58l Remote diagnostics via SMS on page 59l Export system logs to remote syslog servers on page 60l Support for SNMP (read-only) and traps on page 60

FortiGate-FortiExtender zero-touch provisioning (ZTP)

FortiExtender supports FortiGate-FortiExtender zero-touch provision (ZTP). The process is outlined stepwiseas follows:

1. FortiExtender default discovery mode is set to auto with DHCP server enabled over the LAN interface. ASIM card without a PIN code is expected to be used for ZTP, and a default APN should be retrievedautomatically at first connection.

2. Acting as a DHCP client, FortiGate connects to the FortiExtender LAN interface to obtain a private IP toreach FortiManager.

3. FortiGate reports the discovered FortiExtender to FortiManager to authorize it (FortiExtender).4. Once authorized, FortiExtender switches to IP-passthrough mode and then reboots itself.5. Upon booting up in IP-passthrough mode, FortiExtender serves as the FortiExtender-WAN interface of

FortiGate, as it does in previous releases.

Get system version

Use the following command to find out your system version:

FX211E5919000011 # get system versionSystem version:

image version : FXT211E-v4.12-build400image type : Interimmodel : FortiExtender-211EMAC : 04:d5:90:21:5f:c7SN : FX211E5919000011license : ae30e2902fc1fe8fOEM SN : FX211E5919000011REV : 24258-01VERSION : 00020003ROM REV : FX211E


System management

Fallback image : FXT211E-v4.12-build400Image type : Interim

Upgrade OS firmware

You can upgrade FortiExtender OS firmware from FortiGate or FortiExtender Cloud. You can also upgrade theOS image directly using the FortiExtender GUI, or any of the following CLI commands, depending on yourcircumstances::

TFTP

execute restore os-image tftp <image name> <tftp server IP address>

FTP

execute restore os-image ftp <image name> <ftp server IP address> <username><password>

USB

1. Configure the OS image name.config system

set hostnameset auto-install-image enableset default-image-file <OS image name>

end

2. Insert the USB and reboot FortiExtender.

FortiExtender Cloud

Whether a FortiExtender is managed via FortiExtender Cloud, through FortiGate, or locally, you can always pullthe OS image from the cloud to upgrade it.

1. Enter this command:execute restore os-image cloud

The available OS images show on FortiExtender Cloud.2. Select the appropriate option offered in the CLI.

FortiExtender automatically downloads the images.

GUI

1. From the navigation bar, clickSettings.2. On top of the page, click Firmware.3. Select the desired OS firmware to upgrade.


System management

Upgrade modem firmware

The FortiExtender modem firmware can’t be upgraded from FortiGate. It must be upgraded from FortiExtenderCloud. The modem firmware is available as a downloadable package from the support site and can beupgraded directly from the FortiExtender CLI or by using the following commands, depending on yourcircumstances.

TFTP

execute restore modem-fw tftp <package name> <tftp server IP address>

FTP

execute restore modem-fw ftp <package name name> <ftp server IP address><username> <password>

USB

execute restore modem-fw usb <modem package name>

FortiExtender Cloud

Whether your FortiExtender is managed via FortiExtender Cloud, through FortiGate, or locally, you can alwayspull the modem image from the FortiExtender Cloud onto the device.

1. Enter this command:execute restore modem-fw cloud

The available modem images show on FortiExtender Cloud.2. Select the appropriate option in the CLI.

FortiExtender automatically downloads the images.

GUI

1. From the navigation bar, clickSettings.2. On top of the page, click Firmware.3. Select the desired modem firmware to upgrade.

SMS notification

FortiExtender-201E and 211E support Simple Message Service (SMS). This enables you to configure multiplemobile phone numbers on the FortiExtender to received SMS alerts.


System management

To create receivers:

config system sms-notificationset notification enable/disable

config receiveredit <user1>

set receiver enable/disableset phone-number <mobile phone number, format: +(country code)(phone number)>set alert <type of alerts i.e system-reboot,data-exhausted,session-disconnect,etc >

nextedit <user2>

set receiver enable/disableset phone-number <mobile phone number, format: +(country code)(phone number)>set alert <type of alerts i.e system-reboot,data-exhausted,session-disconnect,etc >

nextend

The following are the types of alerts that are supported:

config system sms-notification alertset system-reboot system will rebootset data-exhausted data plan is exhaustedset session-disconnect LTE data session is disconnectedset low-signal-strength LTE signal strength is too lowset os-image-fallback system start to fallback OS imageset mode-switch system networking mode switchedset fgt-backup-mode-switch FortiGate backup work mode switched

end

Remote diagnostics via SMS

FortiExtender supports remote diagnostics by SMS.

To enable remote diagnostics by SMS:

FX211E5919000011 # config system sms-remote-diagFX211E5919000011 (sms-remote-diag) # showconfig system sms-remote-diag

set remote-diag enableconfig allowed-user

edit userset sender disableset phone-number 5714515627set allowed-command-type factory-reset reboot get-system-status

nextedit user2

set sender enableset phone-number 5714515627set allowed-command-type reboot get-modem-status get-extender-status

nextend

end


System management

Export system logs to remote syslog servers

In order for FortiExtender to forward system logs to a remote syslog server, the syslogserver and FortiExtender's LAN port must be part of the same subnet.

FortiExtender is able to forward system logs to remote syslog servers based on user configuration.

To enable exporting system logs to a remote syslog server:

FX211E5919000011 # config system syslogFX211E5919000011 (syslog) # showconfig system syslog

set remote-serverset remote-port 514

end

FX211E5919000011 (syslog) # setremote-server Remote Syslog server IP addressremote-port Remote Syslog server port

Support for SNMP (read-only) and traps

As an SNMP agent, FortiExtender responds to SNMPmanagers query on v1/v2c and v3 protocol. It supportsthe following SNMP trap events (which can be configured in both SNMP community and user events):

l system-rebootl data-exhaustedl session-disconnectl low-signal-strengthl os-image-fallbackl mode-switchl fgt-backup-mode-switch

Typical SNMP commands

The following are commands commonly used to configure SNMP in FortiExtender.

FX201E5919000054 # config snmpFX201E5919000054 (snmp) # showconfig snmp

config sysinfoset status enableset descriptionset contact-infoset location

endconfig community

edit fext


System management

set status enableset hosts lanset query-v1-status enableset query-v1-port 161set query-v2c-status enableset query-v2c-port 161set trap-v1-status enableset trap-v1-lport 162set trap-v1-rport 162set trap-v2c-status disableset trap-v2c-lport 162set trap-v2c-rport 162set events

nextendconfig userendconfig hosts

edit lanset host-ip 172.30.0.0/16set host-type any

nextend

end

Sample SNMP commands

FX201E5919000054 # config snmpFX201E5919000054 (snmp) # showconfig snmp

config sysinfoset status disableset descriptionset contact-infoset location

endconfig communityendconfig userendconfig hostsend

end

FX201E5919000054 (snmp) # configsysinfo SNMP system info settingcommunity SNMP v1/v2c community settinguser SNMP v3 user settinghosts SNMP hosts setting

FX201E5919000054 (snmp) # config sysinfoFX201E5919000054 (sysinfo) # showconfig snmp sysinfo

set status disableset descriptionset contact-info


System management

set locationend

FX201E5919000054 (sysinfo) # setstatus Enable/disable SNMPdescription System description. size[127]contact-info Contact informationlocation System location. size[127]FX201E5919000054 (sysinfo) # end

FX201E5919000054 # config snmp hostsFX201E5919000054 (hosts) # edit lanFX201E5919000054 (lan) <M> # set*host-ip IPv4 address of the SNMP manager(host), syntax: X.X.X.X/24host-type Control whether the SNMP manager sends SNMP queries, receives SNMP traps, or

bothFX201E5919000054 (hosts) # end

FX201E5919000054 # config snmp communityFX201E5919000054 (community) # edit fextFX201E5919000054 (fext) <M> # setstatus Enable/disable this SNMP communityhosts Configure IPv4 SNMP managers (hosts)query-v1-status Enable/disable SNMP v1 queriesquery-v1-port SNMP v1 query port (default = 161)query-v2c-status Enable/disable SNMP v2c queriesquery-v2c-port SNMP v2c query port (default = 161)trap-v1-status Enable/disable SNMP v1 trapstrap-v1-lport SNMP v1 trap local port (default = 162)trap-v1-rport SNMP v1 trap remote port (default = 162)trap-v2c-status Enable/disable SNMP v2c trapstrap-v2c-lport SNMP v2c trap local port (default = 162)trap-v2c-rport SNMP v2c trap remote port (default = 162)events SNMP trap eventsFX201E5919000054 (community) # end

FX201E5919000054 # config snmp userFX201E5919000054 (user) # edit lanFX201E5919000054 (lan) <M> # setstatus Enable/disable this SNMP usernotify-hosts SNMP managers to send notifications (traps) totrap-status Enable/disable traps for this SNMP usertrap-lport SNMPv3 local trap port (default = 162)trap-rport SNMPv3 trap remote port (default = 162)queries Enable/disable SNMP queries for this userquery-port SNMPv3 query port (default = 161)events SNMP trap eventssecurity-level Security level for message authentication and encryptionFX201E5919000054 (user) # end

Executable SNMP commands

FX201E5919000054 # execute snmpmibs


System management

download Export SNMP MIBs to tftp serverFX201E5919000054 # execute snmpmibs downloadtftp download through TFTP.FX201E5919000054 # execute snmpmibs download tftpFORTINET-CORE-MIB.mib download FORTINET-CORE-MIB.mibFORTINET-FORTIEXTENDER-MIB.mib download FORTINET-FORTIEXTENDER-MIB.mibFX201E5919000054 # execute snmpmibs download tftp FORTINET-CORE-MIB.mibUsage: snmpmibs export mib_file tftp tftp_server<mpmibs download tftp FORTINET-FORTIEXTENDER-MIB.mibUsage: snmpmibs export mib_file tftp tftp_serverFX201E5919000054 #


Configure LTE settings


Typically, when deployed in the Cloud, FortiExtender is able to download its configuration from FortiExtenderCloud. However, you can still configure the device locally, using the commands below.

If you must configure the APN, you can do it on FortiGate, FortiExtender Cloud, orlocally.

Add a new carrier profile

Default carrier profiles are included in modem firmware package. You can check the default carriers using thefollowing commands:

config lte carriershowend

If your carrier is not in the list of profiles, you can create a customized carrier profile using the followingcommands:

config lte carrieredit <carrier>

set firmware <firmware name>set pri <pri name>

next

Add a new operator/carrier

An SIM map entry is used to get the carrier from the PLMN. Most PLMNs are supported in the defaultconfiguration. You can always check if your SIM PLMN is supported using the following command:

get lte carrier <mcc> <mnc>

If you cannot find the carrier of your SIM card, you can add a customized SIM using the following commands:

config lte simmapedit <carrier>

set mcc <first 3 digits of the IMSI number>set mnc <next 2 digits the IMSI number>set carrier <carrier name from the newly created carrier profile>

next

The new operator/carrier requires at least one matched carrier profile entry from“config lte carrier” to take effect.



Create a data plan

edit verizonset modem modem1set type by-carrierset carrier Verizonset apn WE01.VZWSTATICset auth NONEset userset pwdset pdn ipv4-onlyset signal-threshold 0set signal-period 0set capacity 0set monthly-fee 0set billing-date 0set overage disableset preferred-subnet 32set private-network disable

next

When "private network" is enabled, FortiExtender allows the flow of non-NAT'ed IP traffic on to an LTE interface. Otherwise, it does not.


modem Choose “modem1”, “modem2”, or “all”.

type Choose the way for the modem to select the SIM card:l by-iccidl by-slotl by-carrierl by-default

iccid The iccid of the SIM, mandatory for “set type by-iccid”.

carrier The SIM card carrier, mandatory for “set type by-carrier”.

slot The SIM card slot, mandatory for “set type by-slot”

apn Set the APN of the SIM card.

auth Choose the Authorization mode.

user Set the username.

pwd Set the password.

pdn Choose the Packet Data Network (PDN) IP address family.

signal-threshold Set the signal-strength threshold beyond which SIM switch will occur. (from-100 to -50 dBm)




signal-period Set the length of time (from 600 to 18000 seconds) for SIM switch to occurwhen signal strength remains below the set signal threshold for more thanhalf of the set period.

capacity Set data capacity per month (from 0 to 102400000 MB).

monthly-fee Set the monthly fee for the data plan (from 0 to 1000000).

billing-date Set the billing date of the month.

preferred-subnet DHCP subnet.

private-network Enable/disable blocking all non-NAT'ed traffic.

Set the default SIM

When you install dual SIM cards in one modem, you can configure the default SIM to use.

You can set the default SIM by

l Set the default SIM by preferred carrier on page 66l Set the default SIM by low cost on page 66l Set the default SIM by SIM slot on page 67

Set the default SIM by preferred carrier

Use this option to set the default SIM if you have SIM cards from different carriers.

config lte settingconfig modem1

set default-sim by-carrierset preferred-carrier <carrier name>

endend

Set the default SIM by low cost

This option applies when you need to choose the low-cost SIM over a more expensive one.

You must configure two entries under “config lte plan” for the two SIM cards separately. The systemwill calculate the cost based on the “set capacity” and “monthly-fee”.


set default-sim by-costend

end



Set the default SIM by SIM slot

The default SIM is sim1. You can change it to sim2 using the following commands:


set default-sim sim{1|2}end

end

Enable SIM-switch


config auto-switchset by-disconnect enableset by-signal disableset by-data-plan disableset disconnect-threshold 1set disconnect-period 600set switch-back by-time by-timerset switch-back-by-time 00:01set switch-back-by-timer 3600

endend

end

SIM-switching can be configured by data plan, disconnect settings, signal strength,coupled with switch back by time or by timer. All these options are under the “Autoswitch” setting.


by-disconnect The SIM card switches by disconnect.

by-signal The SIM card switches by signal strength.

by-data-plan The SIM card switches by data plan.

disconnect-threshold The number (1 - 100) of disconnects for SIM switch to take place.

disconnect-period The evaluation period (600 - 18000) in seconds for SIM switch.

switch-back Enables switching back to the preferred SIM card.

switch-back-by-time Switches over to the preferred SIM /carrier at a specified (UTC) time(HH:MM).

switch-back-by-timer Switches over to the preferred SIM/carrier after a given time (3600-2147483647) in seconds.



Report to controller

config lte settingconfig controller-report

set status [enable | disable]set interval 300set signal-threshold 10

endend


status Enable or disable periodic controller report.

interval The interval at which to notify the controller (once every 30 to 86400seconds; the default is 300).

signal-threshold The signal strength threshold (10 - 50 dBm). FortiExtender notifies thecontroller once the RSSI change has exceeded the set threshold.


Use cases

Use cases

This section discuses some typical use cases to deploy FortiExtender.

l Extended cellular WAN of FortiGate on page 69l Redundant with FGT in IP Pass-through mode on page 74l Manage from FortiExtender Cloud on page 80l FortiExtender 201E for FortiGate HA configuration

Extended cellular WAN of FortiGate

When setting up a FortiExtender out of box with FortiExtender OS version 4.2.2, you can connect FortiExtenderto FortiGate in either of the following ways:

l Connect the FortiGate port in DHCP client mode (such asWAN1/WAN2) to the FortiExtender LAN port (1 ,2 or 3). In this option, the FortiGate interface acquires DHCP lease from the FortiExtender LAN DHCPserver, and has a default gateway as the FortiExtender LAN interface IP address. An ZTP solution withFortiManager can be achieved through this mode.

l If the FortiGate internal /LAN is running a DHCP server, connect the FortiGate to port4 of FortiExtender201E, which acquires DHCP lease from the FortiGate DHCP server.

Connect to FortiGate

1. Connect your FortiExtender LAN port to the POE-enabled port of FortiGate.a. Enable the FortiExtender Controller on FortiGate.

# config system global(global) # set fortiextender enable(global) # end

b. Make sure that your FortiGate enables FortiExtender Controller.The FortiExtender-related GUI is hidden by default. To enable it, go to System > Feature Visibility.

c. Enable the CAPWAP access to use the FortiGate interface to which FortiExtender is connected.config system interfaceedit lan

append allowaccess fabricend


Use cases

The "append allowaccess fabric" command is introduced in FOS6.2.3, and applies to FortiGate devices running FOS 6.2.3 and later. If you areconnecting your FortiExtender to a pre-FortiOS 6.2.3 FortiGate device, youMUST use "append allowacess capwap" instead.

Be sure to keep the following in mind:l If FortiLink is enabled, FortiExtender must be connected to FortiGate

through FortiLink.l If FortiLink is enabled and FortiExtender is not part of FortiLink , the

discovery type on FortiExtender must be static.

2. Authorize the FortiExtender device.Once the FortiExtender is discovered, you must authorize it by associating it either with a virtual WANinterface or a VLAN interface.a. Go to Network > FortiExtender, and wait for the FortiExtender device to be discovered by

FortiGate.b. Bind the device to an interface and authorize it.

In FortiGate 5.4 and higher releases, you must manually create either a virtual WAN interface of typeFEX-WAN or a VLAN sub-interface, and link it to FortiExtender as part of the authorization process, asillustrated below.

Make sure that FortiExtender and FortiGate are connected on Layer 2 by default. Ifthey are not connected via Layer 2 but can reach each other via Layer-3 networking,configure your FortiExtender with static discovery using the following FortiExtender CLIcommands:

config system management fortigateset ac-discovery-type staticset static-ac-ip-addr 192.168.1.99set ac-ctl-port 5246set ac-data-port 25246

end


Use cases

VLAN mode and performance

While using the FEX-WAN type interface, all the traffic to/from FortiGate is encapsulated in the CAPWAP datachannel, whereas for VLAN type interface, the traffic is sent/received on the VLAN interface. Due to absence ofencapsulation overheads, VLAN mode delivers better speeds with the requirement that the VLAN interface bedirectly created on top of the port on which FortiExtender is connected to FortiGate.

Note that VLAN mode must be explicitly enabled, as it is disabled by default onFortiGate, and that all the FEX-WAN interfaces must be deleted before VLAN mode isenabled.

#config system global(global) # set fortiextender-vlan-mode enable(global) # end

Ensure that the VLAN interface is created based on the physical interface of yourconnected FortiExtender.

Modem connectivity

FortiExtender allows for multiple modes of operation of the modem from FortiGate.

l Always Connect—By default, this feature is enabled when a FortiExtender is authorized. In this mode, themodem is always connected to the Internet, meaning that the FortiExtender is readily available for Internetaccess from the FortiGate. If there are multiple active WAN interfaces on the FortiGate, care must betaken to ensure that the distances of the FortiExtender interface and other WAN interfaces are configuredappropriately. The FortiExtender’s modem is always connected to the Internet. It can be a primary orbackup method of connecting to the Internet for the FortiGate.

l On Demand—In this mode, FortiExtender instructs the modem to connect to an ISP for Internet accessonly upon executing the dial-up command and disconnects only upon a subsequent hang-up commandfrom the FortiGate CLI.

To connect

execute extender dial <SN>// <SN> is the FortiExtender's serial number.

To disconnect

execute extender hangup <SN>// <SN> is the FortiExtender's serial number.

Dual FortiExtender operations

Active/Passive mode

By default, each FortiGate device can support up to two FortiExtenders at a time. Typically, the firstFortiExtender that it has authorized takes the primary role and the second one takes the secondary role. Theprimary FortiExtender always provides Internet access and the secondary FortiExtender stays in passive mode.If the primary FortiExtender goes down, the secondary FortiExtender gets activated, and vice versa.


Use cases

Active/Active mode

To have access to active Internet sessions on both FortiExtenders simultaneously, the role of the secondaryFortiExtender needs to be changed to primary.

config extender-controller extenderedit < fext serial no > /* FortiExtender with secondaryrole */

set role primaryend

Cellular as backup of Ethernet WAN

In this redundant mode of operation, the FortiExtender daemon running on FortiGate monitors a given WANlink on the FortiGate, and brings up FortiExtender’s cellular Internet access when the WAN link is down andbrings down the FortiExtender cellular Internet when the WAN link comes up. For example:

config extender-controller extenderedit <FEXT serial number>set admin enableset ifname <fext interface>set mode redundantset redundant-intf < wan interface I,e wan1>

end

In this mode of operation, the FortiExtender interface comes up if the WAN interface goes down and goesdown if the WAN interface comes up.

ECMP across FEX-wan1 and wan1

To set up Equal-cost multi-path routing (ECMP) to automatically find the best path:

1. On the FortiGate UI, go to Router > Static > Settings, and do the following:a. Configure ECMP Load Balancing Method.b. Choose among Source IP based, Weighted Load Balance, Spillover, Source-Destination IP based,

andc. Configure your settings as required.

2. Go to System > Network > Interfaces and edit FEX-wan1, setting the distance to the same distance asthe wan1 interface underRouter > Static > Static Routes. (In this example, the distance is 10.)

Now the traffic is shared between the wan1 and FEX-wan1 links according to the ECMP Load BalancingMethod used. This deployment can be extrapolated for dual FortiExtender installation.

SD-WAN in FortiOS 5.6 and higher

FortiOS now recognizes and uses FEX as a valid interface within an SD-WAN interface bundle. Using SD-WAN,FortiGate becomes a WAN path controller and supports diverse connectivity methods. With FEX, 3G/4G canbe used as a primary connection, a backup interface, or a load-balanced WAN access method with Application-Aware WAN path control selection. It provides high availability and QoS for business-critical applications byusing the best effort access for low-priority applications through low-cost links, and backs up service through


Use cases

associations with an FEX link. This enables aggregation of multiple interfaces into a single SD-WAN interfaceusing a single policy.

To accomplish this:

1. Add the FortiExtender interface as a member of the SD-WAN interface, as illustrated below.

2. Define a load-balancing algorithm, as shown in the following example of volume-based distribution.


Use cases

3. Define your policies as illustrated below.

For more information about how to deploy SD-WAN in general, refer to FortiOS documentation.

Redundant with FGT in IP Pass-through mode

A Virtual Router Redundancy Protocol (VRRP) configuration can be used as a high-availability (HA) solution toensure network connectivity in the event of a failing FortiGate router. With VRRP enabled on FortiExtender, alltraffic will transparently fail over to FortiExtender when the FortiGate on your network fails. When the failedFortiGate is restored, it will take over the processing of traffic for the network.

For more information about VRRP, see RFC 3768.

Use Case 1: FortiExtender in VRRP mode while being managed from FortiGate.


https://www.ietf.org/rfc/rfc3768.txt

Use cases

General configuration procedures

1. The FortiExtender LAN interface consists of multiple ports by default. Be sure to separate out anindividual port from the LAN-switch for VRRP purposes. (Refer to "Step 3: Verify the port settings onFortiExtender" in FEX-201E for FortiGate HA configuration on page 83.)

2. Continue managing FortiExtender from FortiGate over the LAN interface. (NOT the VRRP interface.)3. Configure the VRRP gateway IP on the newly separated individual port on the FortiExtender and the

corresponding VRRP port on the FortiGate.4. Set the VRRP priority of the FortiExtender VRRP interface to a value lower than the FortiGate VRRP

interface's priority.5. Create a firewall policy on the FortiExtender to forward traffic from newly created VRRP interface to the

LTE internet (Refer to Configure firewall policies on page 40.)6. Ensure the VRRP ports on the FortiExtender and the FortiGate are connected by verifying that the

FortiExtender is in backup mode and the FortiGate is in master mode by running command "get router infovrrp".

In normal operations, all traffic to the internet passes through the primary VRRP interface of FortiGate. Theprimary VRRP router, which is the FortiGate, sends VRRP advertisement messages to the backup router, i.e.,the FortiExtender. The backup FortiExtender will not attempt to become a primary router while receiving thesemessages. If the primary router fails, the backup FortiExtender becomes the new primary router after a briefdelay, during which the new primary router, i.e., FortiExtender sends gratuitous ARP packets to the network tomap the default route GW IP address of the network to the MAC address of the new primary router. All packetssent to the default router are now being sent to the new primary router, i.e., FortiExtender. Upon switchover,the network will not continue to benefit from FortiOS security features until the FortiGate is back online.


Use cases

To enable VRRP on the interface attached to the LAN port on FortiGate:

FortiOS# config system interfaceFortiOS (interface) # edit <port num>

edit <port num>set vdom "root"set ip <ip> <subnet mask>set allowaccess pingset type physicalset vrrp-virtual-mac enableconfig vrrp

edit <vrrp id>set vrip <vrrp IP>set priority <priority>

nextend

end

To enable VRRP on FortiExtender:

config system managementset discovery-type fortigate

config fortigate-backupvrrp-interface <vrrp interface i.e por1>status enable

endend

config system interface wan vrrpset status enableset version 2 <only 2 is supported currently>set ip <IP of virtual router>set id <vrrp id>set priority <priority>set adv-interval <advertisement interval in seconds>set start-time <initialization timer for backup router, typically 1>set preempt <enable | disable> (preempting master typically disable)

end

The VRRP interfaces on FortiGate and FortiExtender must be individual ports, andmust not be part of a LAN switch with static IP address configuration. Devices relianton the Internet from FortiGate or FortiExtender must also have a static IP configured.

To display the status of virtual router on FortiExtender:

get router info vrrp


Use cases

Enable DHCP server on FortiExtender and the VRRP masterrouter

To ensure uninterrupted presence of a DHCP server when one of the VRRP-capable routers is down, you mustensure IP address availability all the time. Typically both the VRRPmaster and the backup routers areconfigured with DHCP servers with reserved IP addresses to their corresponding MAC addresses.

FortiExtender configured in VRRP backup mode will not launch the replicated copy of the DHCP server untiland unless the VRRPmaster router goes down; FortiExtender will also terminate the DHCP server when theVRRPmaster router comes back up.This ability ensures that the hosts in the VRRP domain always gets thesame IP address, irrespective of which VRRP router is in operation, without causing any IP address conflicts.

For information on DHCP server configuration, refer to Configure DHCP server on page 29.


Use cases

Enable DHCP relay on both FortiExtender and the VRRP masterrouter

You must guarantee IP address availability to ensure access to the DHCP server at any time. The hosts mustbe able to access a DHCP server locally or remotely on an uninterrupted basis. In the event that the DHCPserver is not present locally, a DHCP relay agent service is needed to receive DHCP requests from DHCP hostsand forwards the requests to the remote DHCP server, receive responses from the server, and cater to theneeds of DHCP clients. In this configuration, the FortiExtender which acts in VRRP backup mode will berunning a DHCP relay agent on a VRRP interface; the VRRPmaster router is also running a DHCP relay agenton the respective VRRP interface. This ability ensures that the hosts in the VRRP domain always gets the sameIP address, irrespective of which VRRP router is in operation, without causing any IP address conflicts becausethe requests are catered to by the same remote DHCP server.

For information on DHCP relay configuration, refer to Configure DHCP relay on page 31DHCP configurationson page 29

DHCP relay

FortiExtender now supports DHCP relay agent which enables it to fetch DHCP leases from a remote server. Ithas to be configured per interface. Example below:

config system dhcprelayedit 1set status enableset client-interfaces <vrrp interface name on which relay agent services are

offered>set server-interface <interface name through which DHCP server can be reachable>set server-ip <remote dhcp server IP>

end

The DHCP relay and DHCP server services can be run on any VRRP interface, whichcould be either a separate port or a VLAN interface.


Use cases


Use cases

Manage from FortiExtender Cloud

To manage FortiExtender from FortiExtender Cloud, you must have the following:

l A FortiCare accountl A FortiExtender Cloud license (The current SKU: FC-10-X0CME-608-02-DD)

Configure with FortiExtender Cloud

Refer to the FortiExtender Cloud Admin Guide for instructions on how to

l Access FortiExtender Cloud.l Deploy FortiExtender devices.l Synchronize devices.


https://docs2.fortinet.com/product/fortiextender-cloud/4.1

Use cases

IP Pass-through mode with Cloud management

1. On FortiExtender Cloud, configure a profile in IP pass-through mode.

2. Connect the FortiExtender LAN port to the WAN port of FortiGate or a third-party appliance.

If the WAN port is not POE-enabled, use a power injector (12V/1A) to power theFortiExtender device.

3. Set the WAN port of FortiGate or a third-party appliance to DHCP client mode. The device will get an IPaddress from the ISP and connect to the Internet.

NAT mode with Cloud management

1. Configure a profile in NAT mode. Refer to Step 1 in the preceding section.2. Use the following commands to complete the configurations:


Use cases

Address

config network addressedit all


nextedit none


nextedit src


nextend

Firewall policies

config firewall policyedit all-pass

set srcintfset dstintfset srcaddr srcset dstaddr allset action acceptset status enableset serviceset nat enable

nextend

Policy-based routing (PBR)

config routerconfig policy

edit eth1-pbrset input-deviceset src 192.168.2.0/24set srcaddrset dstset dstaddrset serviceset target target.eth1set status enableset comment

nextend

OBM management

FortiExtender can be connected to the console port of any device behind it via its USB port, thereby enablingout-of-band management (OBM). This mode requires access to FortiExtender over its WAN interface.


Use cases

This feature supports multiple OBM console connections with USB to multiple serial console cable/adapter.Once you've logged into FortiExtender, you can access its console port using the following procedures:

1. Log into the FortiExtender device.2. Connect to the console port of the device.3. Execute the command:

# execute obm-consoleWelcome to OBM Console - Serial Redirector.One device connected with ttyUSB0.Please choose the baudrate from list below:1. 96002. 192003. 384004. 576005. 1152006. 9216007. Other baudrateEnter to continue & CTRL+X to go back to FortiExtender Console.

When USB to multiple serial console cable/adapter is used, execute the following command:

# execute obm-consoleWelcome to OBM Console - Serial Redirector.There are 2 devices/ports connected.Please choose one from list below:1. ttyUSB02. ttyUSB1Please choose the baudrate from list below:1. 96002. 192003. 384004. 576005. 1152006. 9216007. Other baudrateEnter to continue & CTRL+X to go back to FortiExtender Console.

Make sure that the baud rate you select matches the baud rate of the router which isconnected to the serial console via the USB port.

FEX-201E for FortiGate HA configuration

This use case discusses how to use a FortiExtender 201E to support two FortiGate devices in HA configurationto ensure uninterrupted network connectivity and business continuity. It provides step-by-step instructions onhow to configure the FortiGate HA cluster from the FortiGate GUI. It also provides the FortiExtenderCLI commands to verify the port configuration of FortiExtender 201E as a WAN switch to support the FortiGateHA configuration.


Use cases

Network topology

Prerequisites

l The FortiExtender 201E device must be physically networked with the two FortiGate devices, with its Port1 connected to wan1 on the primary FortiGate and Port 2 connected to wan1 on the backup FortiGate, asillustrated in the Network topology.

l The two FortiGate devices must be physically connected via the HA port on both of them, as illustrated inthe Network topology.

l The two FortiGate devices must be running the same version of FOS.

The FortiGate devices used in this sample configuration are both running FOS 6.2.1.

Configuration procedures

This configuration involves the following major steps:

Step 1: Configure the primary FortiGate

1. Log in to the GUI of the primary FortiGate device.2. From the menu, go to Dashboard > Status.

The Status page opens.3. Locate the System Information widget, click the Hostname, and (from the drop-down menu) select the

Configure settings in System > Settings link.


Use cases

The System Settings page opens.4. Change the Host name to something that identifies the FortiGate as the primary device, and clickApply.5. Then, select System > HA, click the top part of the page to highlight it, and clickEdit.

The High Availability page opens.

The Edit button will not be available until the top part of the Status page ishighlighted.

6. Make the following required entries and/or selections:a. ChangeMode to Active-Passive.b. Set Device Priority to a value greater than the one set on the backup FortiGate.c. Specify aGroup name.d. Set the Password.e. Select two Heartbeat interfaces (one at a time) by doing the following:

i. Click + (plus sign), and (from the pop-up list of interfaces) select ha.ii. Set Heartbeat Interface Priority to 50.iii. ClickOK.iv. Click + (plus sign) again, and (from the pop-up list of interfaces) select wan1.v. Set Heartbeat Interface Priority to 50.vi. ClickOK.

Step 2: Configure the backup FortiGate

1. Log in to the GUI of the backup FortiGate device.2. From the menu, go to Dashboard > Status.

The Status page opens.3. Locate the System Information widget, click the Hostname, and (from the drop-down menu) select the

Configure settings in System > Settings link.The System Settings page opens.

4. Change the Host name to something that identifies the FortiGate as the backup device, and clickApply.5. Then, select System > HA, click the top part of the page to highlight it, and clickEdit.

The High Availability page opens.

The Edit button will not be available until the top part of the Status page ishighlighted.

6. Make the following required entries and/or selections:a. ChangeMode to Active-Passive.b. Set the Device Priority value smaller than the one set for the primary FortiGate.c. Set theGroup name to be the same as the one set on the primary FortiGate.d. Set the Password to be the same as the one set on the primary FortiGate.


Use cases

e. Select two Heartbeat interfaces (one at a time) by doing the following:i. Click + (plus sign), and (from the pop-up list of interfaces) select ha.ii. Set Heartbeat Interface Priority to 50.iii. ClickOK.iv. Click + (plus sign) again, and (from the pop-up list of interfaces) select wan1.v. Set Heartbeat Interface Priority to 50.vi. ClickOK.

l Ensure that the Device Priority value on the primary FortiGate is higherthan the one for the backup FortiGate.

l Ensure that two heartbeat interfaces are selected and the HeartbeatInterface Priority are both set to 50 on both.

Step 3: Verify the port settings on FortiExtender

1. Ensure that Port 1 on the back of the FortiExtender is connected to the WAN1 port on the primaryFortiGate. Refer to the Network topology.

2. Ensure that Port 2 on the back of the FortiExtender is connected to the WAN1 port on the backupFortiGate. Refer to the Network topology.

3. Run the following commands to verify and ensure that the physical Ports 1 and 2 are aggregated in theLAN switch port.

FX211E5919000011 # config system interfaceFX211E5919000011 (interface) # edit lanFX211E5919000011 (lan) # showedit lan

set type lan-switchset status upset mode dhcpset mtu 1500set vrrp-virtual-mac enableconfig vrrp

set status disableendset allowaccess http https ssh ping telnet

next

FX211E5919000011 # config system lan-switchFX211E5919000011 (lan-switch) # showconfig system lan-switch

config portsedit port1nextedit port2nextedit port3nextedit port4next

endend


Use cases

The "show" commands above yield the default settings of FortiExtender 201E asa LAN switch, which can be used out of the box to support FortiGateHA configurations. We recommend using these settings without change unless youare confident in your ability to configure custom settings of your own. If you preferto configure your own LAN switch, be sure to use the aforementioned commands todouble-check its configuration before putting FortiExtender to work.


Troubleshooting, diagnostics, and debugging


This section discusses system troubleshooting, diagnostics, and debugging. It covers the following topics:

l Troubleshooting on page 88l Status, diagnostics, and debugging commands on page 89l Diagnose FortiExtender on page 89

Troubleshooting

Below are some common error situations with their suggested solutions.

Can’t manage the FortiExtender from FortiExtender Cloud

Upgrade the FortiExtender to OS version 3.3.0 or higher.

Can’t start an Internet session

1. Type execute debug-mode ati to enter debug mode.2. Troubleshoot in the following sequence:

Step Task CLI command to use

1 Check the SIM cardIf the SIM is accessible, output the SIM IMSI number, forexample, 311480420284429.If the SIM can’t be read, reinsert it into the SIM slot until it clicksinto place.

AT+CIMI

2 Check the modem firmware compatibilityThe current firmware and the preferred firmware for the insertedSIM card must be the same, or else the output will indicate amismatch error.

AT!IMPREF?

AT!GOBIIMPREF?

3 Check the signal availabilityEnsure that the FortiExtender has good signal strength to derivegood speeds and prevent time-outs.

AT!GSTATUS?

4 Check Internet connectivityCheck to see if the APN is configured correctly. Although themodem in FortiExtender can negotiate the APN, it might runinto issues with some wireless providers.

AT+CGDCONT?



Status, diagnostics, and debugging commands

FortiExtender supports the following CLI commands for system status checking, diagnostics, and debugging.

Task CLI command/action

Check connectivity toFortiGate

get extender status

Check connectivity toFortiExtenderCloud

get cpm status

Check the status of modems get modem status

Perform health checks andmonitoring

get hmon hchk vwan.<vwan_member name>

(The member can be tunnel0 or tunnel1.)

Logs on telnet/ssh execute debug log-to-console on

Perform modularizeddebugging

1. Select the module.2. Turn the log level on/off as needed.

Debug execute debug <module> <log level> on/off

SYSTEM,MONITORD, EXTD, MDMD, CONNMGR,NETD,CLI,GUICPM,CONFIG,JCLI,HMON,IPSecD,FIREWALLD

Applicable log levels error, info, dbg, fatal, warning, trace

Diagnose FortiExtender

You can diagnose your FortiExtender device using any of the following methods:

l From FortiGatel From FortiExtender Cloudl From Telnet.

Diagnose from FortiGate

1. Open a browser to access the FortiGate GUI.2. From the main FortiGate window, go to Network > FortiExtender, as illustrated below.



If the FortiExtender is running correctly, the modem status and data usage statistics appear.3. ClickDiagnostics to open the Diagnostics window.

4. Click the down arrow, and form the drop-down menu, clickAT Command.The command text box opens.



5. Type a command into the text box, and clickRun.The output shows in the read-back area.

For a complete list of diagnostic commands, refer to Status, diagnostics, anddebugging commands on page 89.

Diagnose from FortiExtender Cloud

1. From FortiExtender Cloud, clickDashboard.

2. On the Dashboard page, click the FortiExtender device of interest.The device page opens.

3. ClickConsole.The Console Editor opens. You are now communicating directly with the modem.

4. Type execute debug-mode ati to enter debug mode.5. Type a debug command.

Amessage is returned showing the status of the modem.


Diagnose from Telnet

1. From the Windows Command prompt, type cmd.2. Type telnet [modem ip address]. (The default IP address is 192.168.100.20/24.)3. Enter your user name and password as required.4. Enter the command you want.


Collect complete diagnostics information

FortiExtender now supports collecting all diagnostics information in a compressed package. The packagecontains all details, including system software, hardware, configuration, CPU usage, memory usage, modemstatus, interfaces, routing tables, IP tables, VPN, session tables, and kernel logs.



Use the following command to collect all diagnostics information:

execute debuginfo export tftp <filename.tgz> <tftp server ip address>


Change Log

Change Log

Date Change Description

December 24, 2020 FortiExtender 4.2.2 Admin Guide, initial release.


Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., inthe U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may betrademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance andother results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any bindingcommitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’sGeneral Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performancemetrics and, in suchevent, only the specific performancemetrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will belimited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features ordevelopment, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, andguarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and themostcurrent version of the publication shall be applicable.

FortiExtender 4.2.2 Admin Guide - AWS

Documents

Transcript of FortiExtender 4.2.2 Admin Guide - AWS