Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AlexC-FTNT
Staff
Staff

Created on ‎05-23-2022 02:51 AM Edited on ‎02-05-2024 09:24 AM By Moderator

Article Id 210092

Technical Tip: Setup comparison between FortiGate Hardware switch, Software switch, VLAN switch

Description

 

This article describes some details that may be helpful for getting started with setting up a switch on a FortiGate.

Some differences are presented in terms of functionality, and some general setup guides to consider before chosing the appropriate setup. 

 

Scope

 

FortiGate - all supported versions (6.2+).

A general comparison of previous versions and still valid in current units can be found here.

 

Note that not all FortiGates can support VLAN switch, and not all firmware versions! Also, the commands.

to set up the switches are slightly different throughout the versions (5.6/6.0/6.2/64/7.0). Refer to the CLI guide for the version used.

CLI guides available here (change to appropriate version from the top navigational bar).

 

Solution

 

Main differences.

 

Software switch: Traffic is processed by CPU (more functions, no native VLAN).
A software switch is a virtual switch that is implemented at the software or firmware level and not at the hardware level.

Hardware switch : Traffic is processed by hardware, no native VLAN set up.
A hardware switch is a virtual switch interface that groups different ports (considered by default trunk ports) together so that the FortiGate can use the group as a single interface.
Supported FortiGate models have a default hardware switch called either internal or LAN.

The hardware switch is supported by the chipset at the hardware level.

VLAN switch (sample config for 300E) similar to a hardware switch, but considers the member ports as one-vlan interfaces by default.

Native VLAN must be defined.

In this construct, (only) ONE  of the ports can be also changed to 'trunk':

 

# config system interface

    edit portX

        set trunk enable (default disable)

    end

 

This port can be connected to a switch to propagate the VLAN to the switch access.
Additional ports that are part of the VLAN switch cannot be changed to trunk.

 

VLAN switch and Hardware switch can't coexist in the same unit.

Once VLAN Switch is enabled, the Hardware switch is converted to VLAN switch, and vice versa.

 

Warnings displayed:

 

FortiGate (global) # set virtual-switch-vlan disable <----- This change will disable trunk on interfaces and remove VLAN from virtual switches.

 

FortiGate (global) # set virtual-switch-vlan enable <----- This change will assign a non-zero VLAN id to virtual switches. (Usually vlan 2 if not used).

 

AlexCFTNT_0-1650621495869.png

27139
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.