Skip to main content
BobAHomeOfficeUser
BobAHomeOfficeUser
New Member
March 6, 2022
Question

How to set up FG 40F to manage two independent switches?

  • March 6, 2022
  • 4 replies
  • 8585 views

Would like to set up Fortigate 40F to manage two independent (not interconnected) switches.
One switch located in home office space.
Other switch located near printers and entertainment devices.

 

There is little traffic between the switches. Occasionally traffic between office and printers;

 

Have already re-allocated lan3 from the hardware switch to the fortilink 802.3ad interface; and disabled the split link interface on fortilink.

 

Even so, only one switch shows as online at a time.

 

Currently:

hardware / OS:
1 FortiGate 40F FortiOS v7.0.5
1 FortiSwitch 108E v7.0.3
1 FortiSwitch 108F v7.0.3

 

Physical connections:
FG40F port lan3 - FS108E port 8
FG40F port a - FS108F port 8

 

current fortilink configuration:
config system interface
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 192.168.4.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set member "a" "lan3"
set lldp-reception enable
set lldp-transmission enable
set snmp-index 6
set auto-auth-extension-device enable
set fortilink-split-interface disable
set switch-controller-nac "fortilink"
set switch-controller-dynamic "fortilink"
set swc-first-create 255
next
end

 

Can this be done using a single fortilink interface? If so, what configuration changes are needed?

Does a second independent 802.3ad aggregate and/or fortilink interface need to be added? Is this even possible? (I'm not afraid of the CLI interface; but I need to know what to enter.)

What relevant documentation exists to address this specific question?

4 replies

Anthony_E
Staff
Anthony_E
Staff
March 9, 2022

Hello Bob,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
March 9, 2022

Hi Bob,

 

I have found this KB article:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-up-hardware-switch-interface-as-port-monitor/ta-p/195049

 

Could you please tell me if it helped?

If not, we will find another to solution to answer your question.

 

Regards,

Best Regards
BobAHomeOfficeUser
BobAHomeOfficeUserAuthor
New Member
March 20, 2022

Anthony,


Thanks for taking the time to answer.


The link provided discusses how to configure a port to be an HA port monitor.
I followed the steps of:
1. Dissociate port3 from the lan
2. Configure port3
2a. Role LAN
2b. Addressing mode Manual
2c. IP 192.168.3.1
2d. Administrative access HTTPS / PING / FMG_Access / Security Fabric connection
3a. Additionally I set up a DHCP Server; as the switch being connected has no fixed IP address (yet)
3b. Additionally set up a firewall policy to access the 192.168.3.0 subnet

 

Result so far is that I can ping and get administrative access by logging directly on to the switch at its assigned IP address. The only management mode on the switch is local management.

 

Back on the fortigate, the link3 shows up, and the DHCP client is assigned; but the switch does not appear under managed switches.

 

I'm back to my original questions
A. Can this be done using a single fortilink interface?
A1. If so, what configuration changes are needed?
A2. Is set type aggregate appropriate? What other options exist for a Fortilink?

 

B. Does a second independent fortilink interface need to be added?
B1. Is this even possible?
B2. (I'm not afraid of the CLI interface; but I need to know what to enter.)

 

Regards,

Bob

sachitdas_FTNT
Staff
sachitdas_FTNT
Staff
March 14, 2022

Hi,

Please refer https://docs.fortinet.com/document/fortiswitch/7.0.4/devices-managed-by-fortios/801202/single-fortigate-unit-managing-multiple-fortiswitch-units-using-a-hardware-or-software-switch-interface

 

 

    BobAHomeOfficeUser
    BobAHomeOfficeUserAuthor
    New Member
    March 20, 2022

    Sachit,

    Thanks for taking the time to answer. 

    The link is a diagram of a topology; but doesn't address the steps to make all the switches managed by the Fortigate.

    Regards,

    Bob

      sachitdas_FTNT
      Staff
      sachitdas_FTNT
      Staff
      March 21, 2022

      Hi Bob,

      You need to configure interface type as hardware switch on FGT - map 2 ports of FGT as member of hardware switch - connect the switches to the ports.

        ede_pfau
        SuperUser
        ede_pfau
        SuperUser
        March 21, 2022

        @BobAHomeOfficeUserIndeed, if you want to manage multiple switches you need to enable 'fortilink-split-interface' mode.

        As there can only be one fortilink on each FGT, you will need to either use a hardware switch, a software switch or an aggregate (LACP). As you are already using the latter, you're fine.

        The fortilink interface offers IP addresses to switches via DHCP.

        Make sure you connect the switches using switch ports which have auto-detection enabled. These ports vary with the switch model. On a FS-108E, it's port 7-10. On a FS-108F, I would assume the same ports. The table in https://docs.fortinet.com/document/fortiswitch/7.0.4/devices-managed-by-fortios/173260/configuring-fortilink does not mention the F series switches.

        So, in short:

        - use a multiport interface

        - enable split mode

        - connect an auto-detecting switchport on each switch

        Terms & ConditionsAccessibility statement