Skip to main content
GohanC
GohanC
Explorer III
September 26, 2022
Solved

Fortilink Layer 3

  • September 26, 2022
  • 1 reply
  • 5655 views

Hello Team,

 

We have an environment with a FortiWiFi 40F. In this environment, we will install more than 15 FortiSwitches. As FGT 40F's datasheet, it only supports up to 8 Fortiswitches.

 

Is there a way to manage that FortiSwitch by a remote FortiGate with Fortilink Layer 3?

 

Basically, the 40F is in a branch office. This Branch Office is connected to the headquarters by a dedicated link, but, the dedicated link is terminated at a 3rd party firewall upstream the FGT. So, the topology looks like this:

 

Branch FGT >> (Dedicated Link) >> 3rd Party FW >> HQ FGT

 

If I configure the Fortilink Layer 3 in Fortiswitches, it can be work? In this case, how can I handle with VLANs? Can I create the vlans only in FGT 40F and passing it to the switches by a link aggregate interface, and just use the HQ FGT to manage the fswitches ports (assign vlans, configure trunks, etc)?

Best answer by gfleming

There's a very good doc you should check out. Here's a specific section on the topology you are interested in: https://docs.fortinet.com/document/fortiswitch/7.2.1/fortilink-guide/801182/fortilink-mode-over-a-layer-3-network

 

In summary, when FortiSwitches are managed by FortiGate, the FortiLink interface becomes the L3 backhaul back to the FortiGate where all inter-VLAN routing occurs.

 

So if you don't want your inter-VLAN traffic to backhaul over the WAN to the HQ fortigate, you'd have to have a standalone L3 FortiSwitch or router at Branch to do this for you. You could still have remaining FortiSwitches managed by HQ FGT doing VLAN port assignment only (no L3 at HQ side).

 

Ideally, if I were you, I would invest in a FGT-70F to act as your L3 "core" at branch, managing all of your FortiSwitches and inter-VLAN traffic. Keep the FGT-40F as your WAN firewall.

1 reply

gfleming
Staff
gfleming
Staff
September 27, 2022

You can do this but your inter-VLAN traffic will backhaul over the WAN link from Branch FGT to HQ FGT where the FortiSwitches are managed, along with their VLANs. Unless you have a standalone layer 3 switch at branch office handling your inter-VLAN routing, of course. Then you can just define layer 2 VLANs and define the port memberships that way.

 

Alternatively, look at FortiSwitch Manager. It can manage remote FortiSwitches (or local if you have a hypervisor at Branch) and leverage the layer 3 functionality right on the switch while keeping it managed.

 

https://docs.fortinet.com/product/fortiswitch-manager/7.2

 

GohanC
GohanCAuthor
Explorer III
September 27, 2022

Hello Graham!

Thanks for your reply.

 

So, in this case, if the Branch FGT is the only L3 device in the branch, the VLANs cannot be treated only locally, it needs to pass to HQ FGT (as their gateway), correct? Why can't I use the branch FGT to deal with the inter-vlan routing?

 

And just another question:

 

What is the recommended configuration for the Fortilink Interface in the HQ FGT? Now, the HQ FGT is connected to the WAN (dedicated link) by a physical L3 interface connected to a 3rd Party Router. What type of interface can I use to create the fortilink interface and add the WAN interface as member of (Aggregate, soft-switch or even keep as physical interface and just enable fortilink)?


Is there a way to configure the Fortilink interface and their vlans without change any configuration in the router side? I need to consider that even if we use a method where the vlans are treated locally in the Branch, at least the internet traffic needs to pass to HQ FGT, where the outgoing access lists as placed. So, at leat one vlan need to be create in the Fortilink interface.

 

Thanks.

gfleming
Staff
gflemingAnswer
Staff
September 27, 2022

There's a very good doc you should check out. Here's a specific section on the topology you are interested in: https://docs.fortinet.com/document/fortiswitch/7.2.1/fortilink-guide/801182/fortilink-mode-over-a-layer-3-network

 

In summary, when FortiSwitches are managed by FortiGate, the FortiLink interface becomes the L3 backhaul back to the FortiGate where all inter-VLAN routing occurs.

 

So if you don't want your inter-VLAN traffic to backhaul over the WAN to the HQ fortigate, you'd have to have a standalone L3 FortiSwitch or router at Branch to do this for you. You could still have remaining FortiSwitches managed by HQ FGT doing VLAN port assignment only (no L3 at HQ side).

 

Ideally, if I were you, I would invest in a FGT-70F to act as your L3 "core" at branch, managing all of your FortiSwitches and inter-VLAN traffic. Keep the FGT-40F as your WAN firewall.

Terms & ConditionsAccessibility statement