How to Configure VXLAN on Fortigate

Hello everyone, in this video I will show how can you extend VLANs over IP. In FortiGate by using vxlan you can do this.

How to Configure VXLAN on Fortigate

1. Access the FortiGate GUI:

  • Open a web browser and enter the IP address of your FortiGate firewall to access the graphical user interface (GUI).
  • Log in with administrator credentials.

2. Create VXLAN Interface:

  • Navigate to Network > Interfaces.
  • Click Create New and select VXLAN.
  • Fill in the following details for the VXLAN interface:
    • Name: A descriptive name for the VXLAN interface (e.g., VXLAN1).
    • Alias: An optional alias for identification purposes.
    • VLAN ID (Optional): If you want to associate the VXLAN interface with a specific VLAN, provide the VLAN ID.
    • VXLAN ID (VNI): Specify a unique VXLAN ID. This is critical, as it is used to identify the VXLAN segment. Ensure that VNIs match across devices in your VXLAN network.
    • VXLAN Port: Specify the UDP port for VXLAN traffic (default is 4789).
  • Click OK to create the VXLAN interface.

3. Configure VXLAN Settings:

  • Under Network > VXLAN, select the VXLAN interface you just created.
  • Configure the following VXLAN settings:
    • Local IP Address: Enter the IP address associated with the FortiGate’s VXLAN interface. This IP should be on the same subnet as the VXLAN endpoints.
    • Multicast Address (Optional): If you intend to use multicast for VXLAN traffic, specify a multicast IP address. Ensure that both ends of the VXLAN have the same multicast settings.
    • Remote IP Address (Peer): Enter the IP address of the remote FortiGate firewall or VXLAN endpoint that you want to connect to.
  • Click OK to save the VXLAN settings.

4. Create VXLAN Overlay Network:

  • Go to Policy & Objects > Objects.
  • Click Create New and select Virtual Network.
  • Fill in the VXLAN overlay network details:
    • Name: A descriptive name for the VXLAN overlay network.
    • Interface: Select the VXLAN interface you created in step 2.
    • VXLAN ID (VNI): Set the same VNI as you did in the VXLAN interface configuration.
  • Click OK to create the VXLAN overlay network object.

5. Create Firewall Policies:

  • Under Policy & Objects > IPv4 Policy, create firewall policies to allow traffic between VXLAN overlay networks or between VXLAN networks and the physical network.
  • In the policy settings:
    • Define the source and destination addresses using the VXLAN overlay network objects you created.
    • Specify the desired action (e.g., allow).
    • Set any required security profiles, such as antivirus or intrusion prevention.
  • Click OK to create the firewall policy.

6. Routing (if needed):

  • If routing between VXLAN overlay networks or between VXLAN and physical networks is necessary, configure routing on the FortiGate firewall.

7. Security Profiles (if needed):

  • Apply security profiles to the firewall policies to enhance security for VXLAN traffic. These profiles can include antivirus scanning, intrusion prevention, and application control.

8. Monitor and Troubleshoot:

  • Use the FortiGate GUI or CLI to monitor the VXLAN interface’s status and traffic.
  • Check logs for any issues or errors related to VXLAN.
  • Verify that routes are correctly configured, especially if you have multiple VXLAN segments.

9. Repeat on Remote FortiGate (if applicable):

  • If you have multiple FortiGate firewalls participating in the VXLAN network, repeat the configuration steps on the remote FortiGate(s), ensuring that VXLAN settings match on both ends.

10. Test and Verify:

  • Test connectivity between devices on the VXLAN overlay networks to ensure that traffic is correctly routed and policies are applied.

Always consult the Fortinet documentation for your specific FortiGate model and firmware version, as there may be slight variations in the user interface and configuration options.