IPAM (IP address management) is available locally on the FortiGate. A standalone FortiGate, or a Fabric root in the Security Fabric, can act as the IPAM server. Interfaces configured to be auto-managed by IPAM will receive an address from the IPAM server's address/subnet pool.DHCP Serveris automatically enabled in the GUI, and the address range is populated by IPAM. Users can customize the address pool subnet and the size of a subnet that an interface can request.

Interfaces with a LAN role, wireless network interfaces (vap-switchtype), and FortiExtender LAN extension interfaces (lan-extensiontype) can receive an IP address from an IPAM server without any additional configuration at the interface level (seeInterfaces on page 160for more information).

IPAM detects and resolves any IP conflicts that may occur on the interfaces that it manages. Users have the option to manually edit the interface or reallocate the IP.

IPAM can be configured on theNetwork > IPAMpage using theIPAM Settings,IPAM Rules,IPAM Interfaces, andIPAM Subnetstabs.

To configure IPAM settings in the GUI:

1. Go toNetwork > IPAMand select theIPAM Settingstab.

2. Enable or disable the following settings:

a. Status

b. Auto-resolve conflicts c. Interfaces with LAN role d. FortiAP SSIDs

e. FortiExtender LAN extensions 3. ClickOK.

To configure IPAM settings in the CLI:

config system ipam

set pool-subnet <class IP and netmask>

set status {enable | disable}

set automatic-conflict-resolution {enable | disable}

set manage-lan-addresses {enable | disable}

set manage-lan-extension-addresses {enable | disable}

set manage-ssid-addresses {enable | disable}

config pools

edit <pool_name>

set subnet <IP address/netmask>

next end

config rules

edit <rule_name>

set device <name1> <name2> ...

set interface <name1> <name2> ...

set pool <pool_name>

next end end

pool-subnet <class IP and netmask>

Set the IPAM pool subnet, class A or class B subnet.

status {enable | disable} Enable/disable IP address management services.

automatic-conflict-

resolution {enable | disable}

Enable/disable automatic conflict resolution.

Whenautomatic-conflict-resolutionis enabled, IPAM will periodically check and validate the addresses of all interfaces. In case of any conflicts, IPAM will automatically attempt to obtain a new address for the affected interface managed by IPAM, ensuring no address duplication.

manage-lan-addresses {enable | disable}^*

Enable/disable default management of LAN interface addresses.

manage-lan-extension- addresses {enable | disable}^*

Enable/disable default management of FortiExtender LAN extension interface addresses.

manage-ssid-addresses {enable | disable}^*

Enable/disable default management of FortiAP SSID addresses.

config pools Set the subnet for the IP pool.

config rules Set the device, interface, and IP pool for IPAM rules.

*When amanage-option is enabled, any interface that meets the specified criteria will automatically receive an IP address from IPAM. However, if this option is disabled, interfaces that meet the criteria will not be configured by IPAM.

Allmanage-options are disabled by default. The central FortiIPAM configuration can be overridden at the interface level.

To override the central FortiIPAM configuration at the interface level:

config system interface edit <name>

set ip-managed-by-fortiipam {enable | disable | inherit-global}

next end

The default setting is to inherit from the global configuration (inherit-global) through the relevantmanage-option under config system ipam.

The following options are available for allocating the subnet size:

config system interface

set managed-subnetwork-size {32 | 64 | 128 | 256 |512 | 1024 | 2048 | 4096 | 8192 | 16384 | 32768 | 65536}

end

Example 1: physical interfaces

In this example, FGT_AA is the Security Fabric root with IPAM enabled. FGT_BB and FGT_CC are downstream Fabric devices and retrieve IPAM information from FGT_AA. The Fabric interface on all FortiGates is port2. FGT_AA acts as the DHCP server, and FGT_BB acts as the DHCP client.

To configure IPAM locally in the Security Fabric:

1. On the root FortiGate, go toNetwork > Interfacesand edit port3.

2. ForAddressing Mode, selectAuto-Managed by IPAM.DHCP Serveris automatically enabled.

3. In this example, IPAM is not enabled yet. ClickEnable IPAM. TheSubnets Managed by IPAMpane opens.

4. SelectEnabled, enter thePool subnet(only class A and B are allowed) and clickOK. The root FortiGate is now the IPAM server in the Security Fabric.

The following is configured in the backend:

config system interface edit "port3"

set vdom "root"

set ip 172.31.0.1 255.255.0.0 set type physical

set device-identification enable set snmp-index 5

set ip-managed-by-fortiipam enable end

next end

config system ipam set status enable end

IPAM is managing a 172.31.0.0/16 network and assigned port3 a /24 network by default.

TheIP/Netmaskfield in theAddresssection has been automatically assigned a class C IP by IPAM. TheAddress rangeandNetmaskfields in theDHCP Serversection have also been automatically configured by IPAM.

5. ClickOK.

6. Log in to FGT-BB and set theAddressing Modeof port4 toAuto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.1.1/24.

7. Log in to FG_CC and set theAddressing Modeof port34 toAuto-Managed by IPAM. The subnet assigned from the pool on the root is 172.31.2.1/24.

Any interface on a downstream FortiGate can be managed by the IPAM server. The interface does not have to be directly connected to the Fabric root FortiGate.

To edit the IPAM subnet:

1. Go toNetwork > IPAM > IPAM Settings.

2. Edit the pool subnet if needed.

3. ClickOK.

On downstream FortiGates, the settings on theNetwork > IPAM > IPAM Settingstab cannot be changed if IPAM is enabled on the root FortiGate.

Go toNetwork > IPAM > IPAM Interfacesto view the subnet allocations (port34, port3, and port3) and DHCP lease information. On FGT_BB, port3 is a DHCP client and the DHCP server interface (FGT_AA port3) is managed by IPAM, so it is displayed in theManually Configured section.

Example 2: wireless network and FortiExtender LAN extension interfaces

In this example, the FortiGate serves as the Security Fabric root and has two interfaces: test-ssid (vap-switchtype) and FG019TM22004646 (lan-extensiontype). Currently, neither interface has an IP address assigned to it.

To configure IPAM on the root FortiGate:

1. Go toNetwork > IPAMand select theIPAM Settingstab.

2. Enable theStatus,Auto-resolve conflicts,Interfaces with LAN role,FortiAP SSIDs, andFortiExtender LAN extensionssettings.

IPAM is disabled by default, so all these options are disabled by default. Each option must be activated individually to function, and they do not depend on one another.

3. ClickOK.

After enabling IPAM on the root FortiGate with the specified settings, FortiGates that are part of the Security Fabric and have an interface set to either the LAN role,vap-switchtype, orlan-extensiontype will automatically receive an IP assignment from the IPAM server without requiring any additional configuration at the interface level.

4. Verify the list of IPAM entries:

# diagnose sys ipam list entries

Entries: (sn, vdom, interface, subnet/mask, conflict) IPAM Entries:

FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24 FGVM08TM22004645 root test-ssid 192.168.2.254/24

When a downstream FortiGate joins the Security Fabric, the port7 interface is configured with a static IP

(192.168.4.254/24), and port8 is set to a LAN role with no IP address assigned. The IPAM server assigns an IP to port8 of the downstream FortiGate since its role was set to LAN. It is observed that the FG019TM22004646 interface of the root FortiGate conflicts with port7 of the downstream FortiGate.

To verify the IP address conflict resolution:

1. On the root FortiGate, go toNetwork > IPAMand select theIPAM Interfacestab.

There is a conflict marker (warning icon) beside the IP address ofFG019TM22004646due to a conflict between the IPAM-assigned interface FG019TM22004646 of the root FortiGate and the manually configured interface of the downstream FortiGate.

a. Verify the list of IPAM entries in the CLI:

# diagnose sys ipam list entries

Entries: (sn, vdom, interface, subnet/mask, conflict) IPAM Entries:

FGVM08TM22004645 root test-ssid 192.168.2.254/24 FGVM08TM22004647 root port8 192.168.3.254/24

FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24 C

2. After some time, sinceAuto-resolve conflictsis enabled in the IPAM settings, the conflict is resolved automatically.

FG019TM22004646 has been assigned a new IP address of 192.168.1.254/24.

IfAuto-resolve conflictsis disabled in the IPAM settings, mouse over the conflict marker and selectReallocate IPto manually reallocate the IP address.

a. Verify the list of IPAM entries in the CLI:

# diagnose sys ipam list entries

Entries: (sn, vdom, interface, subnet/mask, conflict) IPAM Entries:

FGVM08TM22004645 root FG019TM22004646 192.168.1.254/24 FGVM08TM22004645 root test-ssid 192.168.2.254/24 FGVM08TM22004647 root port8 192.168.3.254/24 Diagnostics

Use the following commands to view IPAM related diagnostics.

To view the largest available subnet size:

# diagnose sys ipam largest-available-subnet Largest available subnet is a /17.

To verify IPAM allocation information:

# diagnose sys ipam list entries

IPAM Entries: (sn, vdom, interface, subnet/mask, flag) F140EP4Q17000000 root port34 172.31.2.1/24 0

FG5H1E5818900001 root port3 172.31.0.1/24 0 FG5H1E5818900002 root port4 172.31.1.1/24 0 FG5H1E5818900003 root port3 172.31.0.2/24 1 To verify the available subnets:

# diagnose sys ipam list subnets IPAM free subnets: (subnet/mask)

172.31.3.0/24 172.31.4.0/22 172.31.8.0/21 172.31.16.0/20 172.31.32.0/19 172.31.64.0/18 172.31.128.0/17

To remove a device from IPAM in the Security Fabric:

# diagnose sys ipam delete device F140EP4Q17000000 Successfully removed device F140EP4Q17000000 from ipam