By Manny Fernandez

February 1, 2019

Configuring FortiExtender

For those of you that have not heard or seen FortiExtender, it is a 3G/4G LTE modem that can be attached to a FortiGate or other device and used as a primary, secondary or tertiary connection.  The one I was testing has two SIM slots.  Use cases could be anything from a retail store having the 4G LTE as a backup in case their terrestrial circuit goes down to a construction site where there are no facilities delivered in the area yet, to a primary internet connection.  FortiCloud can also manage thousands of these devices even if they are attached to non-Fortinet devices.

When configuring a FortiExtender on a FortiGate, you need to make some CLI changes to the FortiGate to enable the FortiExtender. In my lab, I have configured a FortiExtender FEX-40D AMEU using T-Mobile on my FortiGate 300E. Let’s get started.

First thing you will need to do is enable the FortiExtender from the SYSTEM, FEATURE VISIBILITY. You will notice that it is disabled and has a message saying FortiExtender needs to be enabled via the CLI.

From the command line, you can run the following command ‘show system global’. You will notice that FortiExtender is not on the default list of configurations.

Her you can see that I issued the ‘config system global’ and ‘set fortiextender enable’ and finally ‘end’. Now when you issue the ‘show system global’ you can NOW see the fortiextender being enabled.

Remember you will need to go back into the GUI under the ‘feature visibility’ section and tick the radio button.

You can now see that the option to enable it is visible.

You will need to configure the Interface that will connect to the FortiExtender. Ensure that ‘CAPWAP’ is enabled from the ‘Administrative Access’ section.

NOTE: In my lab, I used a VLAN assigned to a port on my FortiSwitch since I needed PoE, but the above screenshot shows the configuration.

1. Alias – This is optional but recommended.

2. Give it an IP address and mask

3. Ensure CAPWAP is enabled.

4. Turn on DHCP Server (Optional but recommended).

Once the FortiExtender is booted up and attached to the FortiGate, you will need to Authorize it. You need to create an ‘Interface name’ for it and ‘authorize

Now that you have it authorized, you will notice that under NETWORK, INTERFACES you will have a new entry.

Ensure that you create policies for the FortiExtender interface and if you are using ‘Central SNAT‘, ensure you have an entry there.

Hope this helps.

Recent posts

  • There are many options when troubleshooting in FortiGate firewalls. ... Full Story

  • Have you ever had an IPS signature that continues... Full Story

  • Use case:  Customer has a Split Tunnel Enabled but... Full Story