FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Purpose

This article describes the basic steps to configure FortiGates in a simple OSPF scenario.

It includes the network diagram, requirements, configuration, and routing tables of all FortiGates.


Scope
  • All FortiGate models
  • FortiGate or VDOM in NAT mode only
  • FortiOS v4.0

Diagram
The following network diagram will be used as an example to illustrate how to setup OSPF.
 
rmetzger_FD30030_simple_ospf_setup.jpeg

 


Expectations, Requirements

Basic requirements:

  • FGT1 will become automatically ASBR as it will advertise its static default routes 
  • All locally connected interfaces must have OSPF enabled and the corresponding subnet be advertised as OSPF internal routes (not external) 

 

 Tech Tip : The use of loopback interfaces into this OSPF scenario is a simple rule that eases the OSPF troubleshooting and administration, where we will set the OSPF router ID identically to the loopback interface.


Note :  To enable OSPF on an interface, you only need to add it into the network/prefix list. To enable all interfaces with a single setting, you can use the prefix “0.0.0.0  0.0.0.0”. FGT1 has got this setting as an example.


Configuration

Note : Only the relevant parts of the configuration are given.


  • FGT1

config system interface

    edit "internal"
        set vdom "root"
        set ip 192.168.182.151 255.255.254.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

 

    edit "lback1"
        set vdom "root"
        set ip 10.0.0.1 255.255.255.255
        set type loopback
end

config router static

    edit 0
        set device "internal"
        set gateway 192.168.183.254
    end

 


config router ospf
        config area
            edit 0.0.0.0
            next
        end
    set default-information-originate enable
        config network
            edit 1
                set prefix 0.0.0.0 0.0.0.0
            next
        end
        config redistribute "connected"
        end
        config redistribute "static"
        end
        config redistribute "rip"
        end
        config redistribute "bgp"
        end
    set router-id 10.0.0.1
end

 

  • FGT2

config system interface

    edit "internal"
        set vdom "root"
        set ip 192.168.182.152 255.255.254.0
        set allowaccess ping https
        set type physical
    next
 
    edit "lback2"
        set vdom "root"
        set ip 10.0.0.2 255.255.255.255
        set type loopback
    next

end

config router ospf

        config area
            edit 0.0.0.0
            next
             end
 
        config network
            edit 1
                set area 0.0.0.0
                set prefix 192.168.182.0 255.255.254.0 
            next

           
edit 2
                set area 0.0.0.0
                set prefix  10.0.0.2 255.255.255.255
            next
            end

            set router-id 10.0.0.2

end


Verification
Verification on FGT1. Example of commands that can be used :

FGT1 # get router info ospf neighbor

OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.2          1   Full/DROther    00:00:37    192.168.182.152 internal




FGT1 # get router info ospf interface
internal is up, line protocol is up
  Internet Address 192.168.182.151/23, Area 0.0.0.0, MTU 1500
  Process ID 0, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State Backup, Priority 1
  Designated Router (ID) 0.0.0.205, Interface Address 192.168.182.205
  Backup Designated Router (ID) 10.0.0.1, Interface Address 192.168.182.151
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:06
  Neighbor Count is 2, Adjacent neighbor count is 2
  Crypt Sequence Number is 6411628
  Hello received 106 sent 90, DD received 12 sent 14
  LS-Req received 0 sent 1, LS-Upd received 20 sent 19
  LS-Ack received 13 sent 15, Discarded 177


FGT1 # get router info ospf status
 Routing Process "ospf 0" with ID 10.0.0.1
 Process uptime is 15 minutes
[.......]


FGT1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, internal
C       10.0.0.1/32 is directly connected, lback1
O       10.0.0.2/32 [110/110] via 192.168.182.152, internal, 00:00:22
C       192.168.182.0/23 is directly connected, internal




Verification on FGT2. Example of commands that can be used :


FGT2 # get router info ospf neighbor

OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.1          1   Full/Backup     00:00:31    192.168.182.151 internal


FGT2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

O*E2    0.0.0.0/0 [110/10] via 192.168.183.254, internal, 00:03:04
O       10.0.0.1/32 [110/110] via 192.168.182.151,
internal, 00:09:36
C       10.0.0.2/32 is directly connected, lback2
C       192.168.182.0/23 is directly connected,
internal
Troubleshooting
.

Contributors