FortiGate OSPF Configuration

Problem

How to configure OSPF on two FortiGates to restribute Default GW from HQ to Office 1 and Office 1 redistribute his local Subnets to the HQ (without the Transfer Subnet for Intern VDOM-Links). On top use the OPSF on Office 1 to reach all Subnets in the different VDOMs.

Solution

OSPF between HQ and Office1-root

First start with the basic connection in the Area 0.0.0.0 between the HQ and the Office1 Firewall:

FGT-HQ

config system interface
    edit lback-ospf
        set vdom root
        set type loopback
        set ip 10.0.0.1/32
    next
end
config router ospf
    set default-information-originate enable
    set router-id 10.0.0.1
    config area
        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 172.17.10.248 255.255.255.248
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end
  • default-information-originate: Enable forward default Gateway into the OSPF
  • config network: Add Subnets to listen for neighours (OSPF is only enabled on this Interfaces.) Use 0.0.0.0 to enable OSPF on all interfaces.
  • config redistribute: with set status enable redistibute all routes in the routing table (without filter)

FGT-Office (VDOM: root)

The root VDOM has more subnet in the routing table as we want to share with the HQ Firewall over OSPF. Because of that we have to filter the outgoing subnets with a route-map.

Let start at the begining with the easy part:
config system interface
    edit lback-ospf-root
        set vdom root
        set type loopback
        set ip 10.0.0.2/32
    next
end

config router ospf
    set router-id 10.0.0.2
    config area
        edit 0.0.0.0
        next
        edit 0.0.1.1
        next
    end
    config network
        edit 2
            set prefix 172.17.10.248 255.255.255.248
        next
        edit 3
            set prefix 192.168.2.0 255.255.255.0
            set area 0.0.1.1
        next
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end
This Firewall as two OSPF Areas:
  • 0.0.0.0: The default Area to communicate with the HQ Firewall
  • 0.0.0.1: Internal Office1 Area to share routes with the other VDOMs
In the config network is defined which neighbours from the subnet is mapped to which OSPF Area. In our case all neighbours from 172.17.10.248/29 is mapped to Area 0.0.0.0. And all neighbours from 192.168.2.0/24 is mapped to the Area 0.0.0.1

OSPF Filtering
Now, we have to connection between HQ and Office1 - perfect! 
In the Office1 we have different routes (Tranfer Routes between the VDOMs) which we don't want to share with the HQ. So, we need to filter the routes bevor we redistribute it:
config router prefix-list
    edit "NET_192.168.110.0"
        config rule
            edit 1
                set prefix 192.168.110.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
    edit "NET_192.168.120.0"
        config rule
            edit 1
                set prefix 192.168.120.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end
config router route-map
    edit "MAP_OSPF_redistribute"
        config rule
            edit 1
                set match-ip-address "NET_192.168.110.0"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
            edit 2
                set match-ip-address "NET_192.168.120.0"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
end
  • preflix-list: define all Prefixes we use for our filter (Alternativ you can solve the same with config router access-lists)
  • route-map: Create a route-map with our prefxies
After we did the preparation part we can redistribute our subnets:
config router ospf
    config redistribute "connected"
        set status enable
        set routemap "MAP_OSPF_redistribute"
    end
    config redistribute "static"
        set status enable
        set routemap "MAP_OSPF_redistribute"
    end

Verify

We did all the configurations we need for the connection in the Area 0.0.0.0. Let's check what is happen on our Firewalls:
FGT-HQ
# get router info ospf neighbor 
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.2          1   Full/Backup     00:00:40    172.17.10.250   port2
# get router info routing-table ospf
Routing table for VRF=0
O E2    192.168.100.0/24 [110/10] via 172.17.10.250, port2, 01:32:34
FGT-Office1 (VDOM:root)
# get router info routing-table ospf
Routing table for VRF=0
O*E2    0.0.0.0/0 [110/10] via 172.17.10.249, port2, 00:03:22
O E2    10.0.0.1/32 [110/10] via 172.17.10.249, port2, 01:34:32
O E2    172.17.20.248/29 [110/10] via 172.17.10.249, port2, 01:34:32

OSPF Office 1 between VDOMs

After we have the OSPF connection between the HQ and the Office1 we would like to establish the connection between the both VDOMs.
For that we have to extend the OSPF configuration on the root-VDOM and do the whole OSPF configuration on the Production-VDOM.

VDOM-root

configure router ospf
    config network
        edit 0
            set prefix 192.168.2.0/24
        end
    next
end

  • config network: We use the Subnet 192.168.2.0/24 to allow both neighbours (VDOM-Production and VDOM-Labor). Alternativ, also two entries with 192.168.2.0/30 and 192.168.4.0/30 are possible. 

VDOM-Production

configure router ospf
    set router-id 10.0.0.10
    config area
        edit 0.0.1.1
        next
    end
    config network
        edit 1
            set prefix 192.168.2.4 255.255.255.252
            set area 0.0.1.1
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end
  • config area: This VDOM is only connected in the OSPF Area 0.0.0.1 - but has connection over VDOM-root to the Area 0.0.0.0
  • config network: Here we use the 192.168.2.4/30 subnet, because from the Production-VDOM we only connect to the root-VDOM
  • config redistribute "connected": We redistribute all connected subnet

Verify

VDOM-root
# get router info ospf neighbor 
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.1          1   Full/DR         00:00:33    172.17.10.249   port2
10.0.0.10         1   Full/ -         00:00:30    192.168.2.5     Prod1
# get router info routing-table ospf
Routing table for VRF=0
O*E2    0.0.0.0/0 [110/10] via 192.168.2.5, Prod1, 00:08:32
O E2    10.0.0.1/32 [110/10] via 172.17.10.249, port2, 01:46:20
O E2    10.0.0.10/32 [110/10] via 192.168.2.5, Prod1, 00:08:12
O E2    172.17.20.248/29 [110/10] via 172.17.10.249, port2, 01:46:20
O E2    192.168.110.0/24 [110/10] via 192.168.2.5, Prod1, 00:08:12
VDOM-Production
# get router info ospf neighbor 
OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.2          1   Full/ -         00:00:32    192.168.2.6     Prod0
# get router info routing-table ospf 
Routing table for VRF=0
O E2    10.0.0.1/32 [110/10] via 192.168.2.6, Prod0, 00:09:28
O IA    172.17.10.248/29 [110/101] via 192.168.2.6, Prod0, 00:09:29
O E2    172.17.20.248/29 [110/10] via 192.168.2.6, Prod0, 00:09:28
O       192.168.2.0/30 [110/200] via 192.168.2.6, Prod0, 00:09:29
O E2    192.168.100.0/24 [110/10] via 192.168.2.6, Prod0, 00:09:28

OSPF Troubleshooting

With the following commands you can show all debug messages from the OSPF Process in the console:
diagnose ip router ospf all enable
diagnose ip router ospf level info
diag debug enable

Comments

Post a Comment

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

Image
Problem Design with two ISPs and an RIPE Routed public IP Ranges. How to solve, that the public Range is available over both ISPs but without asymetric Routing and ISP-1 is the primary. Solution FortiGate Basic BGP configuration First start with basic BGP configuration config router bgp set as 65301 set router-id 100.200.100.254 set keepalive-timer 45 set holdtime-timer 120 set bestpath-med-missing-as-worst enable set graceful-restart enable     config redistribution connected          set status enable     end end bestpath-med-missing-as-worst :  The route without MED is automaticly the worst destination. gracefule-restart :  Advertise reboots to neighbors so they don't see the router as offline, wait before declaring them offline, and how long to wait when they reboot before advertising updates. These commands apply to neighbors and are part of the BGP capabilities. This prevents unneeded routing updates. holdtime-timer: How long the router will wait for
Read more

FortiMail - Server Basic Configuration

Image
 Problem Nowhere is it written exactly how FortiMail must be configured in Server Mode to run a secure Basic Mail Server. Here is a summary of most of the settings: Solution System Network Configure your Interfaces Be sure that you have configured an default Gateway Port Forwarding FortiMail are able to forward Traffic from a the internet to the local LAN (DNAT). For more information:  FortiMail Doc FortiGate The FortiGate are able to send SMTP traffic through an WCCP Tunnel to the FortiMail for scanning. See for more information:  FortiDoc Configuration Set the correct Time Zone Configure your Password Policy Change the Admin Ports  to non default ports If you need configure the SNMP settings Mail Settings Set the Hostname  and the Local domain name . Togther there are the FQDN of the FortiMail. Activate the SMTP MA service  (use other ports for mail submiting by clients as mail transfer to other Mail servers.  Relay Host If you run the FortiMail behind another Mailserver which acts a
Read more

FortiGate as DNS Server or DNS Proxy

Image
 Problem Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server. For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here. Solution A detail documentation about the DNS Server functionality is in the offical documentation:  Fortinet Doc In this post I would like to clearly present the most important functions and configuration types of the DNS function. DNS-Server In the following example the FortiGate act as DNS Server: Enable DNS Feature Enable the DNS Feature in the GUI: CLI command: config system settings     set gui-dns-database enable end Configure DNS Server Enable the DNS Feature on the interface on which DNS requests should be answered: Select Network Select DNS Servers Select the listen Interface Select the DNS Server Mode (see delecration below) The same on the CLI: config system dns-server     edit DMZ2          set mode recu
Read more