Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sindre-FTNT
Staff
Staff

Created on ‎11-12-2019 03:26 AM

Technical Tip: Leverage LLDP to Simplify Security Fabric Negotiation

Description
This article describes how FortiOS 6.2 enables LLDP reception on WAN interfaces, and prompts FortiGates that are joining the Security Fabric if the upstream FortiGate asks.

-If an interface's role is undefined, LLDP reception and transmission inherit settings from the VDOM.
-If an interface's role is WAN, LLDP reception is enabled.
-If an interface's role is LAN, LLDP transmission is enabled.


When a FortiGate B's WAN interface detects that FortiGate A's LAN interface is immediately upstream (through the default gateway), and FortiGate A has Security Fabric enabled, FortiGate B will show a notification on the GUI asking to join the Security Fabric.


Solution
To configure LLDP reception and join a Security Fabric:

1) Go to Network -> Interfaces.
2) Configure an interface:

-If the interface's role is undefined, under Administrative Access, set Receive LLDP and Transmit LLDP to Use VDOM Setting.


Using the CLI:
#config system interface
    edit "port3"
        set lldp-reception vdom
        set lldp-transmission vdom
        set role undefined
        ...
    next
end
-If the interface's role is WAN, under Administrative Access, set Receive LLDP to Enable and Transmit LLDP to Use VDOM Setting.


Using the CLI:
#config system interface
    edit "wan1"
        set lldp-reception enable
        set lldp-transmission vdom
        set role wan
        ...
    next
end
-If the interface's role is LAN, under Administrative Access, set Receive LLDP to Use VDOM Setting and Transmit LLDP to Enable.



Using the CLI:
#config system interface
        edit "port2"
            set lldp-reception vdom
            set lldp-transmission enable
            set role lan
            ...
        next
end
A notification will be shown on FortiGate B.


Click Apply to save the settings.



Using the CLI:
#config system csf
    set status enable
    set upstream-ip 10.2.200.1
end

Labels:
3778
0 Kudos
Contributors

Contact Us