When a FortiGate has 'Shared Media' interfaces, this means that it has a pair (or multiple pairs) of ports that offer two different physical connectors that tie back into a single logical interface. The purpose of these Shared Media ports is to offer users flexibility concerning the physical connectivity to the FortiGate.

However, a key detail here is that these Shared Media ports are not two fully separate sets of ports. They cannot be used at the same time, nor are they able to be configured separately. One way to treat these interfaces is 'two physical interfaces that connect to one shared logical interface'.

For example, consider the FortiGate-90G/91G:

Figure 1: FortiGate-90G diagram, as taken from the datasheet

On this model of FortiGate, the wan1 and wan2 RJ45 ports are labeled as 'shared' with SFP+1 and SFP+2. However, checking within FortiOS itself (e.g. show system interface) reveals that only wan1 and wan2 are present as configurable logical interfaces. To help illustrate the use case of these ports, consider the following example.

• An admin deploys the FortiGate-90G to one of their sites that has a broadband ISP connection. The ISP provides a modem that connects to the FortiGate via an RJ45-based CAT6 Ethernet cable.
  The admin can connect this cable to the RJ45-based wan1 port on the FortiGate to gain network access.
  
  
• Later, the ISP upgrades the connection to an optical fiber setup, and they offer the admin the option of connecting with an optical SFP+ transceiver.
  The admin can disconnect the Ethernet connection to wan1 and instead plug in the SFP+ transceiver into SFP+1. There is no need to update the configuration since these are a pair of Shared Media ports (i.e. all routes, policies, and other configs still reference the logical wan1 interface, but now the SFP+ physical medium is being used instead of RJ45).
  
  
• The admin later adds a second ISP connection to the site. This ISP only offers RJ45 Ethernet connections to the users, so the admin connects this new WAN connection to the RJ45 wan2 port. The SFP+-based wan1 connection used for the first ISP still operates without any changes.

In the case of the FortiGate-90G/91G, it is worth noting that these Shared Media physical interfaces (SFP+ vs. RJ45) are both capable of up to 10Gbps transmission rates, but they differ in terms of the exact speeds they support:

• The RJ45 interfaces (wan1 and wan2) are capable of 10G/5G/2.5G/1G/100M speeds with auto-negotiation support.
• The SFP+ interfaces (SFP+1 and SFP+2) are only capable of 10Gbps and 1Gbps speeds.
  
  

Note that on FortiGate 90/91G Generation 2 devices, the shared media ports are labeled as X1 and X2, rather than WAN1 and WAN2. This difference may cause issues when configuring an HA cluster between two units of different revisions and the cluster will not form.

Additionally, this can lead to inconsistencies with the FortiManager Device Model database. This is because, in the FortiManager device database, the model still lists the interfaces as WAN1 and WAN2.

get hardware status

Model name: FortiGate-91G
ASIC version: SOC5
CPU: ARMv8
Number of CPUs: 8
RAM: 7548 MB
EMMC: 9982 MB (MLC) /dev/mmcblk0
Hard disk: 114473 MB /dev/nvme0n1
USB Flash: not available
Network Card chipset: FortiASIC NP7LITE Adapter (rev.)
Hardware Revision: Rev2 <----- Generation 2 indicator.

FortiGate 80F/81F supports different configuration options for lower speeds on shared media ports depending the firmware version, see the article Technical Tip: 100full speed option missing for the shared SFP ports of FortiGate 80F/81F.

Finally, take note of some known behaviors regarding these Shared Media interfaces:

• The CLI command diagnose hardware shared-port < wan1 | wan2 > can be used to check the physical medium of the Shared Media interfaces chosen by the FortiGate. The following lists the expected behaviors when physically connecting these interfaces:
  • Neither one is connected -> medium will show as AUTO.
  • Only RJ45 is connected -> medium will show as Copper.
  • Only SFP+ is connected -> medium will show as Fiber. 
    • Note that the medium will only switch to Fiber when a transceiver with an active optical fiber connection is connected to the FortiGate.
    • Note also that there can be a brief delay (~5 seconds) when switching between physical mediums.
  • Both are connected -> medium will show as Copper (RJ45 takes priority over SFP+).
    
    • It is generally recommended to only connect one of the two interfaces in a Shared Media pair at a time to avoid any confusion.
• It is not possible to use pairs of Shared Media ports together in an LACP Link Aggregate (i.e. SFP+1 and wan1 cannot be used together in LACP since they are not two fully separate network interfaces).

To manually change the port type by running the following command:

diagnose hardware shared-port <port> fiber/copper

Note:

There is currently an issue affecting upgrades from v7.4.7 to v7.4.8, in which the shared port medium is not properly recognized, and will default to copper. This will make the interface go down if it is using a transceiver. Use the command above to force the appliance to recognize it as fiber, and the link will come up.

The port type change will be lost after reboot or if the speed is changed in v7.4.8. To solve it, an automation stitch can be configured to force FortiGate to change it back to Fiber by referring to Technical Tip: FortiGate 80F/81F Fiber port/SFP port in the shared port down after upgrade to v7.4.8.