Skip to main content
tony5896
tony5896
New Member
February 19, 2026
Question

FortiGate on a Stick w FortiLink

  • February 19, 2026
  • 2 replies
  • 128 views

Hi. Does anybody have an opinion about FortiGate appliances setup in a design where all routing is between sub-interfaces on the Fortilink interface? I call this a "FortiGate-on-a-Stick" design.

I am considering the ISP connections for a new install consisting of three FS448E switches in a FortiLink design with two FG121G appliances in HA mode. I will use Vlan sub-interfaces on the FortiLink interface for two ISP DIA circuits as well as Vlans in my LAN.

FortiGates-on-a-Stick designFortiGates-on-a-Stick design

 

Is this a bad idea? Is FortiLink stable enough for this design to be reliable? Does FortiOS prefer to separate Inside and Outside on different physical interfaces for NAT and SDWAN features?

 

2 replies

Stephen_G
Moderator
Stephen_G
Moderator
February 23, 2026

Hello,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

If anybody else has any info or advice, please feel free to contribute!

Regards,
Stephen_G - Fortinet Community Team
AEK
SuperUser
AEK
SuperUser
February 25, 2026

Hi Tony

The design looks safe and secure as long as you keep patched. For example if there is a new vulnerability in FortiSwitch/FortiLink then the attacker may easily find himself in the internal network.

But in real word it depends of the design is for which kind of company. For example a bank, a telecom operator or other serious company never do so, while smaller companies may accept it as it is low budget.

You may also look from security standards side, they probably don't recommend it.

AEK
Terms & ConditionsAccessibility statement