Skip to main content
khalavak
khalavak
New Member
December 5, 2021
Question

FortiGate + FortiSwitch VLANs on both devices?

  • December 5, 2021
  • 14 replies
  • 44676 views

Hello,

first time poster here so have mercy :)

 

I am new to Fortinet but a long time security / networking administrator. I recently acquired a FortiGate 40F, FortiSwitch 108F and a FortiAP 221 to test it out and learn about Fortinet. 

 

I am running into a stupid problem that I can't understand: 

 

I would like to create VLANs on both FortiSwitch and FortiGate so that FortiGate is the gateway and DHCP-server on these VLAN networks. Furthermore, I would like to use the VLANs on the FortiSwitch so that I can use multiple ports on the switch on these VLANs, say port 1-4 has native VLAN accounting_VLAN and port 5-8 has VLAN printer_vlan, etc.

 

I would also like to use 1 or more ports on the FortiGate on these VLANs if needed. But this does not seem to be possible, to create a VLAN and then tag the VLAN on both FortiGate and FortiSwtich ports? 

From what I can see now, if using VLANs on the FortiSwitch, I can't use these VLANs on the FortiGate ports and use the FG ports for connecting devices to the VLANs that I use?

 

 

High Level overview of what I am trying to do:

 

1. Create VLAN accounting_VLAN(VLAN ID=10) and office_VLAN(VLAN ID=20) on FortiGate with IP-address and DHCP enabled etc. so that the Fortigate is the gateway for the VLAN network. 

2. Use the accounting_VLAN on FortiGate ports so that devices can be plugged into the FortiGate and assigned to one of these VLANs.(if FG-40F, then less ports to use, if 200F then more ports to use)

3. Connect FortiSwtich to FortiGate using Fortlink.

4. Trunk the accounting_VLAN on the trunk to the FortiSwitch

5. Use the accounting_VLAN ports on the FortiSwitch, for example ports 1-8 on accounting_VLAN and ports 9-13 on office_VLAN.

 

However, this doesn't seem to be possible from my testing different configurations? I can create VLANs on the FortiSwtich and tag them as native VLANs on different ports, but I can't use those VLANs on the FortiGate for creating a firewall/gateway interface to those VLANs. 

 

What am I missing? 

 

Best regards,

Kim,

 

14 replies

Show previous replies
johnh
johnh
New Member
November 14, 2023

Try this:
On FS:

1. create your two VLan IDs with blank IP (0.0.0.0/0.0.0.0)

2. assign the vlans to their respective ports either as native or trunked
On FG:
1. remove the hardware switch ports from any attached interface.
2. create new interface/type/software switch for each vlan.
3. add the members/ports and the associated vlan you want to traverse those ports.
4. configure the IP/Netmask and the DHCP Server options and any other settings you want for that software switch interface/vlan.

 

One caveat I read that using software switch is not recommended due to possible performance hits.

 

edit:

I just tried this on one of my set ups and it didn't work properly. Looks like we can only add one fortiswitch created vlan into each software switch. So in doing so, you will need to create two software switch. Only issue with that is, it looks like you may need to connect two patches to the fortiswitch so you can trunk both of the vlans to the switch. So I would just create one software switch for one particular vlan. Then you can connect devices for that vlan onto the fg and fs. Then create a separate vlan on the fs for the second vlan with the proper IP and dhcp settings. Then assign the vlans to the correct ports on the switch.

Sorry rambling...lol

efernandes
efernandes
Explorer II
November 16, 2023

Thank you for your response, seems like we will be separating WAN and FortiLans on our setup.

christian_s
christian_s
New Member
November 16, 2023

Hi!

 

I had the exact same topic. I managed to solve it like that:

1) add a VLAN to the FortiLink interface. Important: disable the option "create address object matching subject". This is crutial, as soon as you have a reference on the vlan you can't add it to software switch anymore

2) add the VLAN to the software switch (like you do with a physical interface), it should be available now

3) now you can assign the vlan to a port on the fortiswitch and it should assign correctly and you should receive an IP address from DHCP configured on the software switch

 

I hope that helps.

 

Kind regards,

Christian

 

 

    MateWorks
    MateWorks
    Explorer
    December 7, 2023

    Hi @christian_s 

    This version worked for me, thanks a lot!

    I assigned in the software switch VLAN, Wifi SSID, and native ports and working well.

    Regards,

    Krisztian

     

    FPatrik
    Staff
    FPatrik
    Staff
    July 18, 2025

    Hi all,

     

    It's been a few years since this post :) 

     

    Is there a better way of doing the above now? 

     

    Thanks! 

    boneyard
    boneyard
    Valued Contributor
    August 10, 2025

    I don't think so. To be honest I don't see this ever happening, it doesn't match with how FortiSwitch managed by FortiGate is setup.

     

    If anyone with the right contacts can ever ask this of FortiSwitch product development that would be helpful.

    Terms & ConditionsAccessibility statement