Modem
FortiGate units support the use of wireless, 3G and 4G modems connected using the USB port or, if available, the express card slot. Modem access provides either primary or secondary (redundant) access to the Internet. For FortiGate units that do not include an internal modem (those units with an “M” designation), the modem interface will not appear in the web-based manager until enabled in the CLI. To enable the modem interface enter the CLI commands:
config system modem set status enable
end
You will need to log out of the FortiGate and log back in to see the modem configuration page at System > Network > Modem. Once enabled, modem options become available by going to System > Network > Interface.
Note that the modem interface is only available when the FortiGate unit is in NAT mode. To configure modem settings, go to System > Network > Modem.
Configuring the modem settings is a matter of entering the ISP phone number, user name and password. Depending on the modem, additional information may need to be supplied such as product identifiers, and initialization strings.
The FortiGate unit includes a number of common modems within its internal database. You can view these by selecting the Configure Modem link on the Modem Settings page. If your modem is not on the list, select Create New to add the information. This information is stored on the device, and will remain after a reboot.
Fortinet has an online database of modem models and configuration settings through FortiGuard. A subscription to the FortiGuard services is not required to access the information. As models are added, you can select the Configure Modem link and select Update Now to download new configurations.
USB modem port
Each USB modem has a specific dial-out port. This will be indicated with the documentation for your modem. To enable the correct USB port, use the CLI commands:
config system modem
set wireless-port {0 | 1 | 2}
end
To test the port, use the diagnose command:
diagnose sys modem com /1
The 1 will be the value of your USB port selected. The response will be:
Serial port: /dev/1
Press Ctrl+W to exit.
If the port does not respond the output will be:
Can not open modem device ‘/dev/1’ : Broken pipe
Modes
The FortiGate unit allows for two modes of operation for the modem; stand alone and redundant. In stand alone mode, the modem connects to a dialup ISP account to provide the connection to the Internet. In redundant mode, the modem acts as a backup method of connecting to the Internet, should the primary port for this function fails.
Configuring either stand alone or redundant modes are very similar. The primary difference is the selection of the interface that the modem will replace in the event of it failing, and the configuration of a PING server to monitor the chosen interface.
Configuring stand alone mode
Configuring stand alone mode is a matter of configuring the modem information and the dialing mode. The dial mode is either Always Connect or Dial on demand. Selecting Always Connect ensures that once the modem has connected, it remains connected to the ISP. Selecting Dial on Demand, the modem only calls the ISP if packets are routed to the modem interface. Once sent, the modem will disconnect after a specified amount of time.
To configure standalone mode as needed – web-based manager
1. Go to System > Network > Modem.
2. Select the Mode of Standalone.
3. Select the Dial Mode of Dial on Demand.
4. Select the number of redials the modem attempts if connection fails to 5.
5. Select Apply.
To configure standalone mode as needed- CLI
config system modem set status enable set mode standalone
set auto-dial enable set redial 5
end
Configuring redundant mode
Redundant mode provides a backup to an interface, typically to the Internet. If that interface fails or disconnects, the modem automatically dials the configured phone number(s). Once connected, the FortiGate unit routes all traffic to the modem interface until the monitored interface is up again. The FortiGate unit pings the connection to determine when it is back online.
For the FortiGate to verify when the interface is back up, you need to configure a Ping server for that interface. You will also need to configure security policies between the modem interface and the other interfaces of the FortiGate unit to ensure traffic flow.
To configure redundant mode as needed – web-based manager
1. Go to System > Network > Modem.
2. Select the Mode of Redundant.
3. Select the interface the modem takes over from if it fails.
4. Select the Dial Mode of Dial on Demand.
5. Select the number of redials the modem attempts if connection fails to 5.
6. Select Apply.
To configure standalone mode as needed- CLI
config system modem set status enable set mode redundant set interface wan1
set auto-dial enable set redial 5
end
Link Health Monitor
Adding a link health monitor is required for routing fail over traffic. A link health monitor will confirm the connectivity of the device’s interface
To add a link health monitor
config system link-monitor edit “Example1”
set srcint <Interface_sending_probe>
set server <ISP_IP_address>
set protocol <Ping or http>
set gateway-ip <the_gateway_IP_to_reach_the_server_if_required>
set failtime <failure_count>
set interval <seconds>
set update-cascade-interface enable set update-static-route enable
set status enable
end
Additional modem configuration
The CLI provides additional configuration options when setting up the modem options including adding multiple ISP dialing and initialization options and routing. For more information, see the CLI Reference.
Modem interface routing
The modem interface can be used in FortiOS as a dedicated interface. Once enabled and configured, you can use it in security policies and define static and dynamic routing. Within the CLI commands for the modem, you can configure the distance and priority of routes involving the modem interface. The CLI commands are:
config system modem
set distance <route_distance>
set priority <priority_value>
end
For more information on the routing configuration in the CLI, see the CLI Reference. For more information on routing and configuring routing, see the Advanced Routing Guide.