FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the steps to create a VLAN interface (802.1q tag) on a FortiGate.
Note about traffic tagging
A VLAN interface is attached to a physical interface.
When the FortiGate sends out traffic to the physical interface level, the egress packets are untagged, whereas the packets sent on a VLAN level are tagged.
If on a particular VLAN there are destination devices in the network that do not accept tagged packets, it will be required to connect the FortiGate to an intermediate L2 unit(a switch for example) configured with the same VLAN(s).
Example with a FortiGate with VLAN id 1 attached to port1:
Configuration steps provided for the GUI and the CLI to add the VLAN 100 , named My_VLAN_100, to the physical interface port1.
once created, this interface is subject to the same rules as physical interfaces. Firewall Policies must be defined to allow/deny traffic to/from this interface, and other common objects like Firewall Address can be assigned to it.
the physical interface on which a VLAN is attached does not require any IP address settings.
the VLAN ID range is from 1 to 4094. VLAN ID of 0 is reserved for high priority frames, and 4095 is reserved.
Configuration steps from the GUI :
1) Go to System -> Network and select 'Create New'.
2) Give a Name to the VLAN interface.
3) Choose the physical interface on which to attach the VLAN.
4) Select 'Type' as VLAN.
5) Give the desired VLAN ID. ....all other fields are depending on your other requirement (IP address, ping server...)
6) Select 'Apply'.
7) Go to System -> Network, select the blue arrow to expand the physical port and the VLAN will be displayed.
Configuration steps from the CLI
# config system interface edit "My_VLAN_100" set vdom "<vdom name>" set ip a.b.c.d e.f.g.h set interface "port1" set vlanid 100 next end