FortiSwitch: secure, simple and scalable Ethernet solutions
Article Id 258359
Description This article describes how to configure a FortiSwitch in FortiLink over layer-3.

FortiSwitch and FortiGate 6.4.x and above.


In some cases, the requirement is to bring up a FortiSwitch in FortiLink mode, but the FortiSwitch is not directly connected to the FortiGate.

There is a layer 3 network between FortiGate and FortiSwitch.


Read the below link before starting the configuration:


Note that the layer3 FortiLink config has changed from the 7.2.x version and above.


Refer to the below configuration:

FortiGate v7.2.4.

FortiSwitch v7.2.3.





FortiGate config:

Configure a Fortilink interface:


sh system interface port
config system interface
    edit "port3"
        set vdom "root"
        set fortilink enable
        set switch-controller-source-ip fixed <----- Make sure to enable this option.
        set ip
        set allowaccess ping fabric
        set type physical
        set device-identification enable
        set lldp-reception enable
        set lldp-transmission enable
        set snmp-index 5
        set auto-auth-extension-device enable
        set fortilink-neighbor-detect lldp
        set switch-controller-nac "port3"
        set switch-controller-dynamic "port3"
        set swc-first-create 255


When Fortilink is enabled on FortiGate, the Fortilink interface automatically gets added to NTP server.


sh system ntp
config system ntp
    set ntpsync enable
    set server-mode enable
    set interface "port3"



FortiSwitch config.

1) Create the trunk:


config switch trunk
    edit "fortilink"
        set static-isl enable
        set members "port47"


2) By default FortiLink VLAN is 4094


config switch auto-network
    set mgmt-vlan 4094
    set status enable


3) Configure FortiGate IP on FortiSwitch (static discovery is used in this example).


config switch-controller global
    set ac-discovery-type static
        config ac-list
            edit 1
                set ipv4-address     <-----


4) Add the NTP server (FortiGate FortiLink IP) on the FortiSwitch NTP config. FortiSwitch will sync its time with FortiGate.


config system ntp
config ntpserver
    edit 1
        set server ""    <-----
    set ntpsync enable



5) Now, if the switch interface config is checked, it should look something like this: where the native VLAN is 4094.


sh switch interface internal
config switch interface
    edit "internal"
        set native-vlan 4094    <------ Internal interface will only have vlan 4094
        set stp-state disabled
        set snmp-index 53


sh switch interface fortilink
config switch interface
    edit "fortilink"
        set native-vlan 4094
        set allowed-vlans 1,22,4088-4094         <----- All l2 VLANs are allowed by default.
        set dhcp-snooping trusted
        set stp-state disabled  <----- STP is by default enabled, here it is disabled as its a point-to-point link.
        set edge-port disabled
        set snmp-index 56


6) By default internal interface is set to DHCP mode, but here it is configured in static mode.


config system interface
    edit "internal"
        set mode static

        set ip
        set allowaccess ping https ssh
        set type physical
        set secondary-IP enable
        set snmp-index 55
            config secondaryip
                edit 1
                    set ip
                    set allowaccess ping https ssh


 - Make sure FortiSwitch and FortiGate can reach each other and make sure services like NTP, capwap, LLDP, ICMP, are allowed.


Helpful Commands on FortiSwitch:


get system interface
== [ internal ]
name: internal mode: static ip: status: up type: physical mtu-override: disable


get sys arp
Address Age(min) Hardware Addr Interface 0 00:12:e2:0f:5f:e6 internal



execute ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=1.6 ms
64 bytes from icmp_seq=1 ttl=64 time=1.2 ms



diagnose sys ntp status
synchronized: yes, ntpsync: enabled, server-mode: disabled

ipv4 server( -- reachable(0xff) S:1 T:47 selected
server-version=4, stratum=3
reference time is e8202c2a.69cd1b6f -- UTC Tue May 30 08:02:50 2023
clock offset is 0.001227 sec, root delay is 0.218719 sec
root dispersion is 0.010483 sec, peer dispersion is 48 msec


diagnose switch trunk summary

Trunk Name Mode PSC MAC Status Up Time
________________ _________________________ ___________ _________________ ___________ _________________________________

fortilink static(isl) src-dst-ip E8:ED:D6:CB:67:61 up(1/1) 1 days,18 hours,49 mins,12 secs


execute switch-controller get-conn-status

Get managed-switch S148Fxxxxx connection status:
Connection: Connected
Image Version: FG200F-v7.2-build1396
Remote Address:
Join Time: Tue May 30 00:06:53 2023
DTLS Version: DTLSv1.2



 Helpful commands on FortiGate:


execute switch-controller get-conn-status
Managed-devices in current vdom root:

FortiLink interface : port3
S148FFxxxxx v7.2.3 (434) Authorized/Up 3 Tue May 30 00:06:53 2023 -

Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3
Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 64)


execute switch-controller diagnose-connection