Skip to main content
mark8263
mark8263
New Member
December 9, 2025
Question

HP and fortigate - ports and vlans

  • December 9, 2025
  • 1 reply
  • 516 views

Hello all.
I'm trying to understand vlans on the fortigate. i have a 91G and 2 148poe switches in managed mode.
This system will be replacing a sonicwall firewall and hp switch config.

The current config (HP switch, Virtual Server, VLans on VMs) - workstations receive dhcp from a vlan100 server if the hp port is 'tagged' with the correct vlan. An example would be this:
If on the hp switch, G1 has 'untag' (native vlan 1) for port G1 and Tagged with vlan 100, then whenever a device is connected to G1, it receives a dhcp address from my (tagged) vlan 100 server. All this all works well.

The 91g has native vlan1. It's default network is 192.168.1.0 and any devices connected to it get a 192.168.1.x network. The fortigate has also been configured with a Vlan 100 network.

Port 11, on the fortigate is the default vlan1. I connected that port to the HP switch. The hp switch port (uplinked from the fortigate) is configured as "untag G17".
Port 9 on the fortigate is configured with the default vlan 1 network. If i connect a device to Port 9, i get a dhcp address from the 192.168.1.x network.
Whenever i connect the HP and Fortigate together then my devices do not get a dhcp from the fortigate network, but rather from the DHCP server on the HP side - and it is a vlan 100 network.

What's going on?

 

Also, even though I have a access rule for the vlan1-vl100, any any, in both directions - i can't ping either side.

I'd expect whenever the 2 switches are connected that any workstations connected behind Port 9, to have to have the fortigate switch configured on vlan 100 - but that's not the case.

thanks in advance.

1 reply

sw2090
SuperUser
sw2090
SuperUser
December 10, 2025

hm we have some sites that still use hp switches behind a FortiGate here. 

On the HP the uplink to the FGT is untagged in vid 1 (because HP wants the port to untagged in one vlan and we don't use vid 1 anyways) and tagged im any other vlan we use.

Then that uplink port is hooked to a (physical) interface of the FGT (in fact is a hardware switch interface but would work with a single port too). That interface on the FGT carries all the VIDs we need (because a FGT only knows "tagged" - "untagged" traffic would hit the physical interface instead of the vlan interfaces). 

Then there have to be policies to allow traffic as required.

One just have to keep in mind that FortiOS threatens a vlan as a virtual interface that is bond to a physicl one!

 

hth

Sebastian 

mark8263
mark8263Author
New Member
December 16, 2025

I was able to get connectivity between the 2 different switches, temporary that it is, by setting a port on my switch to the same vlan as on the hp - and connecting them together.

It's only temporary as i'm almost thru completing my testing and will soon be switching 'all' over to the FG side.

Terms & ConditionsAccessibility statement