Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
achu
Staff
Staff

Created on ‎05-23-2024 05:46 AM Edited on ‎04-09-2025 09:42 PM By Community Manager

Article Id 316421

Technical Tip: How to allow multiple VLANs in FortiGate VM deployed in vSphere

Description This article describes the setup of FortiGate deployed in the ESXi host and how to allow VLAN tagging.
Scope All FortiGate.
Solution

In this setup, FortiGate is deployed in the ESXi host hypervisor and the requirement is to allow VLAN tagging from FortiGate VM going to Core Switch in the network. For this to work, it is necessary to enable or activate VGT mode (Virtual Guest tagging) on the ESXi host. To activate the VGT, create a port group and assign VLAN 4095 then assign it to a standard switch. Assigning VLAN 4095 will allow all VLANs instead of just one VLAN to pass through a single link. 

 

kb-6.png

 

Note: This is applicable if using a standard switch on each ESXi host, using Center, and having a distributed switch then it is possible to implement the trunk option.

 

Configuration of interface VLAN in FortiGate:

 

Go to Network -> Interfaces -> Create New -> Interface -> Input the ff. details below:

 

Name: VLAN-10

Interface: port2

VLAN ID: 10

IP Address: 172.16.10.2/30

 

kb-1.png

 

kb-2.png

 

Configuration of new standard switch in ESXi and attach the vmnic (physical interface uplink):

Go to Network -> Virtual switches -> Add a standard virtual switch and name it vSwitch1.


kb 3.png

 

Configuration of the port group in ESXi and add to standard switch:

 

Go to Network -> Port groups -> Add port group -> Input the ff. details below and select Add.

 

Name: Uplink_to_CoreSwitch

VLAN ID: 4095

Virtual Switch: vSwitch1

 

0: For untagged traffic.

Specific VLAN ID (1–4094:( To assign a specific VLAN).

4095: For TRUNK mode (accepts traffic for all VLANs).

 

kb 4.png

 

Assign the port group in FortiGate network adapter 2:

 

Go to Network -> Virtual Machines -> Select FortiGateVM -> Edit -> From Network Adapter 2 (FortiGate port 2) Select the new port group -> Save.

 

 kb 5.png

 

kb-5.png

 

Configuration of trunk and interface VLAN 10 in Cisco Core Switch CLI:

 

configure terminal

interface gi0/0

switchport

switchport mode trunk

no shut

exit

vlan 10

exit

interface vlan 10

ip address 172.16.10.1 255.255.255.252

no shut

exit

copy running-config startup-config

 

 

Verification: 

Ping test from FortiGate going to Core Switch interface VLAN 10 IP Address should be successful.

 

kb-3.png

 

The packet sniffer result should show traffic is passing through the VLAN 10 interface.

 

kb-4.png

 

 

Related document:

Deploying the FortiGate-VM
2228
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.