FortiLink mode over a layer-3 network
In some cases, the requirement is to bring up a FortiSwitch in FortiLink mode, but the FortiSwitch is not directly connected to the FortiGate.
There is a layer 3 network between FortiGate and FortiSwitch.
Read the below link before starting the configuration:
Note that the layer3 FortiLink config has changed from the 7.2.x version and above.
Refer to the below configuration:
FortiGate v7.2.4.
FortiSwitch v7.2.3.
Configuring multiple FortiAnalyzers on a multi-VDOM FortiGate
AAA – Tacacs+
AAA on IOS-XR (NCS540)
aaa authorization exec LOCAL local
aaa authorization exec TACACS group TACACS local
aaa authentication login LOCAL local
aaa authentication login TACACS group TACACS local
aaa accounting exec default start-stop group TACACS
aaa accounting system default start-stop group TACACS
aaa accounting commands default start-stop group TACACS
aaa group server tacacs+ TACACS
server 10.0.0.1
server 10.0.0.2
tacacs-server host 10.0.0.1 port 49
key 7 xxx
!
tacacs-server host 10.0.0.2 port 49
key 7 xxx
!
username admin
group root-lr
secret 10 xxx
line console
authorization exec LOCAL
login authentication LOCAL
exec-timeout 12 0
!
line default
authorization exec TACACS
login authentication TACACS
exec-timeout 12 0
transport input ssh
aaa authorization exec TACACS group TACACS local
aaa authentication login LOCAL local
aaa authentication login TACACS group TACACS local
aaa accounting exec default start-stop group TACACS
aaa accounting system default start-stop group TACACS
aaa accounting commands default start-stop group TACACS
aaa group server tacacs+ TACACS
server 10.0.0.1
server 10.0.0.2
tacacs-server host 10.0.0.1 port 49
key 7 xxx
!
tacacs-server host 10.0.0.2 port 49
key 7 xxx
!
username admin
group root-lr
secret 10 xxx
line console
authorization exec LOCAL
login authentication LOCAL
exec-timeout 12 0
!
line default
authorization exec TACACS
login authentication TACACS
exec-timeout 12 0
transport input ssh
iPerf
Iperf:
Op een Cisco ASR920: ASR920s do a Y.1564 test
Central Services Topology
> Question: Have also seen comments in foreeum like. The best practice for this Hub and Spoke is to use TWO VRF in Hub site – “From-Spoke” and “To-Spoke”
This is immaterial implementation detail. Some shops do this, because their automation system abstracts VRF into set of import/export statements and clients share set and hubs share different set. Also if you have hub and spoke in the same PE, you’re going to need another name, if not, single name is fine, but may be more difficult to automate as name does not imply config.
ipv4 vrf hubs
route-target export 42:hubs
route-target import 42:spokes
ipv4 vrf spokes
route-target export 42:spokes
route-target import 42:hubs
Now the problem with this approach is that if you have >1 spokes in the same PE, they are able to communicate to each other. To workaround this, you’ll need ‘half duplex VRF’, where ingress and egress RIB/FIB are different.
Packets coming from spokes look at FibA, packets going to spokes look at FibB. FibA has only route to hubs, FibA has only routes to spokes.
ip vrf spokesIn
route-target import 42:hubs
ip vrf spokesOut
route-target export 42:spokes
ip vrf hubs
route-target export 42:hubs
route-target import 42:spokes
PE1:
int Spoke1
ip vrf forwarding spokesIn downstream spokesOut int Spoke2
ip vrf forwarding spokesIn downstream spokesOut int Hub1
ip vrf hubs
int Hub2
ip vrf hubs
Fortigate FGSP
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD46111&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=164542366&stateId=0%200%20164540878%27
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD46242&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=164542366&stateId=0%200%20164540878%27
Ansible – Fortigate
Ansible :
https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html
https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
https://docs.ansible.com/ansible/latest/modules/fortios_system_email_server_module.html#status
https://help.github.com/en/github/setting-up-and-managing-your-github-user-account/setting-your-commit-email-address
https://github.com/ansible/ansible/issues/48859
https://docs.ansible.com/ansible/latest/user_guide/vault.html
IOS:
https://docs.ansible.com/ansible/latest/network/user_guide/platform_ios.html
https://docs.ansible.com/ansible/latest/plugins/connection/network_cli.html
Fortigate:
Modules (overzicht)
https://ftnt-ansible-docs.readthedocs.io/en/latest/fortios_modules.html
https://docs.ansible.com/ansible/latest/modules/fortios_ipv4_policy_module.html
https://galaxy.ansible.com/fortinet/fortios
https://pypi.org/project/fortiosapi/
https://docs.ansible.com/ansible/latest/modules/fortios_alertemail_setting_module.html
https://ftnt-ansible-docs.readthedocs.io/en/latest/fortios_playbooks/fortios_alertemail_setting.html
Fortigate RestAPI Config Backup – FortiOS 6.0.4
Taskkill
taskkill /f /im Openwith.exe /t > NULL
Fortigate Troubleshooting
https://yurisk.info/2010/03/26/fortigate-bgp-configure-and-debug/index.html
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/150448/troubleshooting-for-dns-filter