NVR configuration : Basic NVR configuration : Configuring the network settings
 
Configuring the network settings
When shipped, each of the FortiRecorder appliance’s physical network adapter ports has a default IP address and netmask. If these IP addresses and netmasks are not compatible with the design of your unique network, you must configure them.
Table 6: Default IP addresses and netmasks
Network Interface*
IP Address
Netmask
port1
192.168.1.99
255.255.255.0
port2
192.168.2.99
255.255.255.0
port3
192.168.3.99
255.255.255.0
port4
192.168.4.99
255.255.255.0
* The number of network interfaces may vary by model.
To connect to the CLI and web UI, you should configure the following FortiRecorder network settings:
Interface: you must configure at least one network interface on your FortiRecorder appliance (usually port1) with an IP address and netmask so that it can receive your connections.
Static route: Depending on your network, you also usually must configure a static route so that the FortiRecorder can connect to the Internet, your computer, and FortiCam cameras.
DNS server: FortiRecorder appliances require connectivity to DNS servers for DNS lookups. The appliance will query the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP servers defined by their domain names.
To configure a network interface’s IP address
1. Log in to the admin administrator account.
2. Go to System > Network > Interface.
3. Double-click the row to select the physical network interface that you want to modify.
4. If you want to manually assign an IP address and subnet mask to this network interface, select Manual and then provide the IP address and netmask in IP/Netmask. IPv4 and IPv6 subnet masks should be provided in CIDR format, e.g. /24 instead of 255.255.255.0. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.
Otherwise, select DHCP and enable Connect to server to retrieve a DHCP lease when you save this configuration. If you want the FortiRecorder appliance to also retrieve DNS and default route (“gateway”) settings, also enable Retrieve default gateway and DNS from server.
 
If you use DHCP on an interface and there are cameras connected to the interface, you must make sure the IP address will not change on that interface because the cameras need to communicate with the NVR and thus need to be aware of the IP address of the NVR.
 
Retrieve default gateway and DNS from server will overwrite the existing DNS and default route, if any.
5. Configure these settings:
Setting name
Description
Discover cameras on this port
Enable to send multicast camera discovery traffic from this network interface. For more information, see “Connecting FortiRecorder to the cameras” on page 41.
Access
Enable the types of administrative access that you want to permit to this interface.
Caution: Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiRecorder appliance.
 
HTTPS
Enable to allow secure HTTPS connections to the web UI through this network interface. To configure the listening port number, see “Configuring system timeout, ports, and public access”. To upload a certificate, see “Replacing the default certificate for the web UI”.
 
PING
Enable to allow:
ICMP type 8 (ECHO_REQUEST)
UDP ports 33434 to 33534
for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST, FortiRecorder will reply with ICMP type 0 (ECHO_RESPONSE).
Note: Disabling PING only prevents FortiRecorder from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP.
It does not disable FortiRecorder CLI commands such as execute ping or execute traceroute that send such traffic.
 
HTTP
Enable to allow HTTP connections to the web UI through this network interface. To configure the listening port number, see “Configuring system timeout, ports, and public access”.
Caution: HTTP connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance.
 
SSH
Enable to allow SSH connections to the CLI through this network interface.
 
SNMP
Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see “SNMP traps & queries”.
 
TELNET
Enable to allow Telnet connections to the CLI through this network interface.
Caution: Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance.
 
FRC-
Central
Enable to allow access from FortiRecorder Central.
MTU
Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.
If network devices between the FortiRecorder unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.
The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value. For example, RFC 2516 prescribes a value of 1492 for PPPoE.
Administrative status
Select either:
Up — Enable (that is, bring up) the network interface so that it can send and receive traffic.
Down — Disable (that is, bring down) the network interface so that it cannot send or receive traffic.
6. Click OK.
If you were connected to the web UI through this network interface, you are now disconnected from it.
7. To access the web UI again, in your web browser, modify the URL to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 10.10.10.5, you would browse to: https://10.10.10.5
If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiRecorder appliance, you may also need to modify the IP address and subnet of your computer to match the FortiRecorder appliance’s new IP address.
To add a static route
 
If you used DHCP and Retrieve default gateway and DNS from server when configuring your network interfaces, skip this step — the default route was configured automatically.
1. Log in to the admin administrator account.
Other accounts may not have permissions necessary to change this setting.
2. Go to System > Network > Routing.
3. Click New.
4. Configure these settings:
Setting name
Description
Destination IP/netmask
Type the destination IP address and network mask of packets that will be subject to this static route, separated by a slash ( / ).
The value 0.0.0.0/0 results in a default route, which matches all packets.
Gateway
Type the IP address of the next-hop router where the FortiRecorder appliance will forward packets subject to this static route. This router must know how to route packets to the destination IP addresses that you have specified in Destination IP/netmask, or forward packets to another router with this information.
For a direct Internet connection, this will be the router that forwards traffic towards the Internet, and could belong to your ISP.
Note: The gateway IP address must be in the same subnet as a network interface’s IP address.
5. Click OK.
The FortiRecorder appliance should now be reachable to connections with networks indicated by the mask. When you add a static route through the web UI, the FortiRecorder appliance evaluates the route to determine if it represents a different route compared to any other route already present in the list of static routes. If no route having the same destination exists in the list of static routes, the FortiRecorder appliance adds the static route, using the next unassigned route index number.
 
For small networks with only a few devices, often you will only need to configure one route: a default route that forwards packets to your router that is the gateway to the Internet.
If you have redundant gateway routers (e.g. dual Internet/ISP links), or a larger network with multiple routers (e.g. each of which should receive packets destined for a different subset of IP addresses), you may need to configure multiple static routes.
6. To verify connectivity, from a computer on the route’s network destination, attempt to ping one of FortiRecorder’s network interfaces that should be reachable from that location.
If the connectivity test fails, you can use the CLI commands:
execute ping <destination_ipv4>
to determine if a complete route exists from the FortiRecorder to the host, and
execute traceroute <destination_ipv4>
to determine the point of connectivity failure.
Also enable PING on the FortiRecorder’s network interface, then use the equivalent tracert or traceroute command on the computer (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to the FortiRecorder.
If these tests fail, or if you do not want to enable PING, first examine the static route configuration on both the host and FortiRecorder.
To display the cached routing table, enter the CLI command:
diagnose netlink rtcache list
You may also need to verify that the physical cabling is reliable and not loose or broken, that there are no IP address or MAC address conflicts or blacklisting, and otherwise rule out problems at the physical, network, and transport layer.
If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an application-layer problem is preventing connectivity.
Verify that you have enabled HTTPS and/or HTTP on the network interface. Also examine routers and firewalls between the host and the FortiRecorder appliance to verify that they permit HTTP and/or HTTPS connectivity between them. Finally, you can also use the CLI command:
diagnose system top 5 30
to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpd are running and not overburdened.
To configure DNS settings
 
If you will use the settings DHCP and Retrieve default gateway and DNS from server when you configure your network interfaces, skip this — DNS is configured automatically.
1. Log in to the admin administrator account.
Other accounts may not have permissions necessary to change this setting.
2. Go to System > Network > DNS and enter the IP addresses of a primary and secondary DNS server. Your Internet service provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.
 
Incorrect DNS settings or unreliable DNS connectivity can cause issues with other features, including the NTP system time. For improved performance, use DNS servers on your local network.
3. Click Apply.
4. To verify your DNS settings, in the CLI, enter the following commands:
execute traceroute www.fortinet.com
 
DNS tests may not succeed if you have not yet completed “To add a static route”.
If the DNS query for the domain name succeeds, you should see results that indicate that the host name resolved into an IP address, and the route from FortiRecorder to that IP address:
traceroute to www.fortinet.com (192.0.43.10), 30 hops max, 60 byte packets
1 172.20.130.2 (172.20.130.2) 0.426 ms 0.238 ms 0.374 ms
2 static-209-87-254-221.storm.ca (209.87.254.221) 2.223 ms 2.491 ms 2.552 ms
3 core-g0-0-1105.storm.ca (209.87.239.161) 3.079 ms 3.334 ms 3.357 ms
...
16 43-10.any.icann.org (192.0.43.10) 57.243 ms 57.146 ms 57.001 ms
If the DNS query fails, you will see an error message such as:
www.fortinet.com: Temporary failure in name resolution
Cannot handle "host" cmdline arg `www.fortinet.com' on position 1 (argc 3)
Verify your DNS server IPs, routing, and that your firewalls or routers do not block or proxy UDP port 53.
See also
Connectivity issues