Technical Tip: Leverage LLDP to Simplify Security Fabric Negotiation

Sindre-FTNT · ‎11-12-2019

Description
This article describes how FortiOS 6.2 enables LLDP reception on WAN interfaces, and prompts FortiGates that are joining the Security Fabric if the upstream FortiGate asks.

-If an interface's role is undefined, LLDP reception and transmission inherit settings from the VDOM.
-If an interface's role is WAN, LLDP reception is enabled.
-If an interface's role is LAN, LLDP transmission is enabled.

When a FortiGate B's WAN interface detects that FortiGate A's LAN interface is immediately upstream (through the default gateway), and FortiGate A has Security Fabric enabled, FortiGate B will show a notification on the GUI asking to join the Security Fabric.

Solution
To configure LLDP reception and join a Security Fabric:

1) Go to Network -> Interfaces.
2) Configure an interface:

-If the interface's role is undefined, under Administrative Access, set Receive LLDP and Transmit LLDP to Use VDOM Setting.

Using the CLI:

#config system interface
    edit "port3"
        set lldp-reception vdom
        set lldp-transmission vdom
        set role undefined
        ...
    next
end

-If the interface's role is WAN, under Administrative Access, set Receive LLDP to Enable and Transmit LLDP to Use VDOM Setting.

Using the CLI:

#config system interface
    edit "wan1"
        set lldp-reception enable
        set lldp-transmission vdom
        set role wan
        ...
    next
end

-If the interface's role is LAN, under Administrative Access, set Receive LLDP to Use VDOM Setting and Transmit LLDP to Enable.

Using the CLI:

#config system interface
        edit "port2"
            set lldp-reception vdom
            set lldp-transmission enable
            set role lan
            ...
        next
end

A notification will be shown on FortiGate B.

Click Apply to save the settings.

Using the CLI:

#config system csf
set status enable
set upstream-ip 10.2.200.1
end