Description
This describes dynamic port policies configuration on FortiSwitch and demonstrates how this solution can be tested, tuned, and troubleshoot. It also assumes that the FortiLink interface is set up and there’s one or more Fortiswitches successfully onboarded and connected to FortiGate via FortiLink
Scope
FortiGate and FortiSwitch.
Solution
Third-party wireless access points such as Aruba and Unifi Ubiquiti were used as examples and all policies were built based on their device patterns
- Create a FortiSwitch VLAN interface that will carry wireless access point management traffic: Under the FortiLink interface, create a subinterface with a specific VLAN ID (18 and 19 in this example) that will be a native VLAN for wireless access points together with IP addresses assigned to them:
GUI:
CLI:
config system interface
edit "VLAN18-WiFi-Mgt"
set vdom "root"
set ip 172.18.254.1 255.255.255.0
set device-identification enable
set role lan
set snmp-index 26
set ip-managed-by-fortiipam disable
set interface "fortilink"
set vlanid 18
GUI:
CLI:
config system interface
edit "VLAN19-WiFi-Mgt"
set vdom "root"
set ip 172.19.254.1 255.255.255.255
set device-identification enable
set role lan
set snmp-index 30
set ip-managed-by-fortiipam disable
set interface "fortilink"
set vlanid 19
next
end
- Create VLAN policies that will be later linked to dynamic port policies: At the time of this article's creation, VLAN policies can be created only from CLI.
Create VLAN policies for Aruba and Unifi AP respectively:
config switch-controller vlan-policy
edit "Aruba-AP-VLAN-Policy"
set fortilink "fortilink"
set vlan "VLAN18-WiFi-Mgt" //we set it to the previously created VLAN18
next
end
edit "Unifi-AP-VLAN-Policy"
set fortilink "fortilink"
set vlan "VLAN19-WiFi-Mgt" //we set it to the previously created VLAN19
next
end
- Create dynamic port policies for different types of access points.
GUI:
Under WiFi & Switch Controller navigate under FortiSwitch Port Policies and then switch to the Dynamic Port Policies tab. Create a new policy, DPP-AP in this example:
Create two separate rules that will match different types of access points. If it is known that all access points will have the same OUI part in the MAC address then it could be used in matching device patterns by supplying the OUI followed by the wildcard mask. Select VLAN policy from the dropdown list and point it to the previously created one for Aruba AP and Unifi AP.
CLI:
config switch-controller dynamic-port-policy
edit "DPP-AP"
set fortilink "fortilink"
config policy
edit "Rule1-Aruba-AP"
set mac "84:d4:7e:**:**:**"
set hw-vendor "Aruba"
set type "Network Generic"
set family "Access Point"
set vlan-policy "Aruba-AP-VLAN-Policy"
next
edit "Rule2-Unfi-AP"
set mac "18:e8:29:**:**:**"
set hw-vendor "Ubiquiti"
set type "Network Generic"
set family "Unifi"
set vlan-policy "Unifi-AP-VLAN-Policy"
next
end
NOTE:
Visit https://filestore.fortinet.com/product-downloads/fortilink/HTFO_list.json to see a list of values for a hardware vendor, type, device family, and operating system.
When adding dynamic port policy rules to the FortiLink policy settings, the rules are processed sequentially, from the first rule to the last rule. If not sure which patterns to use for the AP to match in the policy to identify devices to add to a dynamic port policy rule, try the following command run on FortiGate to see devices connected to the FortiSwitch ports.
This classification happens behind the scenes with all fingerprinting methods loaded into the FortiOS and the switch controller.
Diagnose user device list
Example and extract from the switch with Aruba and Unifi AP:
vd root/0 18:e8:29:93:52:a8 gen 1878 req 0
created 6121s gen 1869 seen 6121s fortilink gen 9
hardware vendor 'Ubiquiti' src lldp id 4106 weight 255
type 'Network Generic' src lldp id 4106 weight 255
family 'UniFi' src lldp id 4106 weight 255
os 'UniFi' src lldp id 4106 weight 255
hardware version 'UAP-AC-Pro-Gen2' src lldp id 4106 weight 255
software version '6.6.77.15402' src lldp id 4106 weight 255
host 'UAP-AC-Pro-Gen2' src lldp
vd root/0 84:d4:7e:c1:c4:ea gen 1938 req 0
created 2131s gen 1915 seen 2131s gen 10
hardware vendor 'Aruba' src lldp id 4402 weight 230
type 'Network Generic' src lldp id 4402 weight 230
family 'Access Point' src lldp id 4402 weight 230
os 'ArubaOS' src lldp id 4402 weight 230
hardware version '205' src lldp id 4402 weight 230
host '84:d4:7e:c1:c4:ea' src lldp
- Assign dynamic port policies to required ports: Assign dynamic port policies to ports where Aruba and Unifi APs are connected.
GUI:
Navigate to WiFi & Switch Controller and FortiSwitch Ports section below it and assign the DPP-AP port policy to the port where APs are connected, in this example, these are ports 11 and 12, 'right-click' on the port and then select the policy type, by selecting Mode and then 'Assign Port Policy':
By default, the switch controller assigns the default policy named 'fortilink':
Make sure to select the pencil sign and change it to DDP-AP policy, the resulting and desired settings are shown below:
After the dynamic policy engine runs and processes, the VLAN assignment the dynamic VLAN column under FortiSwitch Ports will show the resulting VLAN policy applied to the port:
To expedite the switch controller to run the dynamic ports policy set the interval to be more frequent. By default, it runs every 15 seconds. The range of values is 5-60 seconds.
config switch-controller system
set dynamic-periodic-interval <5-60 seconds>
- Troubleshooting: The most useful command while you troubleshoot dynamic port policies application to switch port is 'diagnose switch-controller mac-device dynamic'.
Below is an example of it running from the same switch with two different APs, their MAC addresses are in bold:
FortiGate-61F # diagnose switch-controller mac-device dynamic
Vdom: root
MAC LAST-KNOWN-SWITCH LAST-KNOWN-PORT DYNAMIC-PORT-POLICY POLICY LAST-SEEN(sec) OVERRIDE(min) COMMENTS
18:e8:29:93:52:a8 S124FPTF23031192 port12 DPP-AP Rule2-Unfi-AP 0 - auto detected @ 2025-01-20 16:03:56
84:d4:7e:c1:c4:ea S124FPTF23031192 port11 DPP-AP Rule1-Aruba-AP 0 - auto detected @ 2025-01-20 16:00:24
Matched Devices in the vdom:2 (All-vdom:2 Max:1152)
It shows the AP MAC address on the switch port with the respective policy rule applied to it.
Finally, to see the dynamic policy engine in action run this diagnose debug application command. The example below captures how it runs and updates ports 11 and 12 with the above-mentioned rules:
FortiGate-61F # diagnose debug application flcfgd 7
Debug messages will be on for 30 minutes.
FortiGate-61F # diagnose debug application flpold 3
Debug messages will be on for 30 minutes.
FortiGate-61F # diag deb enable
FortiGate-61F # 514s:320ms:166us flpol_dpp_periodic_timer_handler[2270]:dpp-engine on vd root
514s:320ms:318us flpol_dpp_cmdb_event_handler[2215]:vfid 0
514s:320ms:396us flpol_dpp_check_mac_exists_in_mac_cache[662]:all: ret=1 vfid=0 sw=S124FPTF23031192 mac=18:e8:29:93:52:a8 port=port12 vlan=0 last_seen=0x0
514s:320ms:477us flpol_dpp_devices_check_validity[1453]:dev_sw=S124FPTF23031192 dev_port=port12 dev_last_seen=0x0 sw=S124FPTF23031192 port=port12 last_seen=0x0
514s:320ms:556us flpol_dpp_check_mac_exists_in_mac_cache[662]:all: ret=1 vfid=0 sw=S124FPTF23031192 mac=84:d4:7e:c1:c4:ea port=port11 vlan=0 last_seen=0x0
514s:320ms:635us flpol_dpp_devices_check_validity[1453]:dev_sw=S124FPTF23031192 dev_port=port11 dev_last_seen=0x0 sw=S124FPTF23031192 port=port11 last_seen=0x0
514s:320ms:921us flpol_dpp_user_device_store_event_handler[1729]:Handle dev-store event for vd root len 8353
514s:321ms:116us flpold_dpp_check_device_store_dev_match[1637]:vfid=0 mac=18:e8:29:93:52:a8 match=1
514s:321ms:206us flpol_dpp_check_mac_exists_in_mac_cache[662]:all: ret=1 vfid=0 sw=S124FPTF23031192 mac=18:e8:29:93:52:a8 port=port12 vlan=0 last_seen=0x0
514s:321ms:289us flpol_run_dpp_engine[959]:mac=18:e8:29:93:52:a8 is located on switch=S124FPTF23031192 port=port12 ret=1
514s:321ms:970us flpol_run_dpp_engine[1009]:MAC 18:e8:29:93:52:a8 located in switch S124FPTF23031192 port port12
514s:322ms:243us flpol_dpp_cmp_mac[791]:mac_str=84:d4:7e:**:**:** mac_pattern=84:d4:7e:2a:2a:2a wild_bitlist=00:00:00:01:01:01 mac=18:e8:29:93:52:a8
514s:322ms:345us flpol_dpp_cmp_mac[791]:mac_str=18:e8:29:**:**:** mac_pattern=18:e8:29:2a:2a:2a wild_bitlist=00:00:00:01:01:01 mac=18:e8:29:93:52:a8
514s:322ms:434us flpol_run_dpp_engine[1066]:policy Rule2-Unfi-AP matched for mac=18:e8:29:93:52:a8 sw=S124FPTF23031192 port=port12 !!!
514s:322ms:513us flpol_run_dpp_engine[1107]:Existing DPP device with mac 18:e8:29:93:52:a8 updated
514s:322ms:620us flpold_dpp_check_device_store_dev_match[1637]:vfid=0 mac=84:d4:7e:c1:c4:ea match=1
514s:322ms:709us flpol_dpp_check_mac_exists_in_mac_cache[662]:all: ret=1 vfid=0 sw=S124FPTF23031192 mac=84:d4:7e:c1:c4:ea port=port11 vlan=0 last_seen=0x0
514s:322ms:792us flpol_run_dpp_engine[959]:mac=84:d4:7e:c1:c4:ea is located on switch=S124FPTF23031192 port=port11 ret=1
514s:323ms:430us flpol_run_dpp_engine[1009]:MAC 84:d4:7e:c1:c4:ea located in switch S124FPTF23031192 port port11
514s:323ms:698us flpol_dpp_cmp_mac[791]:mac_str=84:d4:7e:**:**:** mac_pattern=84:d4:7e:2a:2a:2a wild_bitlist=00:00:00:01:01:01 mac=84:d4:7e:c1:c4:ea
514s:323ms:791us flpol_run_dpp_engine[1066]:policy Rule1-Aruba-AP matched for mac=84:d4:7e:c1:c4:ea sw=S124FPTF23031192 port=port11 !!!
514s:323ms:869us flpol_run_dpp_engine[1107]:Existing DPP device with mac 84:d4:7e:c1:c4:ea updated