FortiSwitch and FortiGate 6.4.x and above.

In some cases, the requirement is to bring up a FortiSwitch in FortiLink mode, but the FortiSwitch is not directly connected to the FortiGate.

There is a layer 3 network between FortiGate and FortiSwitch.

Read the below link before starting the configuration:

https://docs.fortinet.com/document/fortiswitch/7.2.4/fortilink-guide/801182/fortilink-mode-over-a-la...

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801182/fortilink-mod...

Note that the layer3 FortiLink config has changed from the 7.2.x version and above.

Refer to the below configuration:

FortiGate v7.2.4.

FortiSwitch v7.2.3.

FortiGate config:

Configure a Fortilink interface:

sh system interface port
config system interface
    edit "port3"
        set vdom "root"
        set fortilink enable
        set switch-controller-source-ip fixed <----- Make sure to enable this option.
        set ip 11.11.11.1 255.255.255.0
        set allowaccess ping fabric
        set type physical
        set device-identification enable
        set lldp-reception enable
        set lldp-transmission enable
        set snmp-index 5
        set auto-auth-extension-device enable
        set fortilink-neighbor-detect lldp
        set switch-controller-nac "port3"
        set switch-controller-dynamic "port3"
        set swc-first-create 255
    next
end

When Fortilink is enabled on FortiGate, the Fortilink interface automatically gets added to NTP server.

sh system ntp
config system ntp
    set ntpsync enable
    set server-mode enable
    set interface "port3"
end

FortiSwitch config.

1) Create the trunk:

config switch trunk
    edit "fortilink"
        set static-isl enable
        set members "port47"
    next
end

2) By default FortiLink VLAN is 4094

config switch auto-network
    set mgmt-vlan 4094
    set status enable
end

3) Configure FortiGate IP on FortiSwitch (static discovery is used in this example).

config switch-controller global
    set ac-discovery-type static
        config ac-list
            edit 1
                set ipv4-address 11.11.11.1     <-----
            next
        end
    end

4) Add the NTP server (FortiGate FortiLink IP) on the FortiSwitch NTP config. FortiSwitch will sync its time with FortiGate.

config system ntp
config ntpserver
    edit 1
        set server "11.11.11.1"    <-----
    next
end
    set ntpsync enable
end

5) Now, if the switch interface config is checked, it should look something like this: where the native VLAN is 4094.

sh switch interface internal
config switch interface
    edit "internal"
        set native-vlan 4094    <------ Internal interface will only have vlan 4094
        set stp-state disabled
        set snmp-index 53
    next
end

sh switch interface fortilink
config switch interface
    edit "fortilink"
        set native-vlan 4094
        set allowed-vlans 1,22,4088-4094         <----- All l2 VLANs are allowed by default.
        set dhcp-snooping trusted
        set stp-state disabled  <----- STP is by default enabled, here it is disabled as its a point-to-point link.
        set edge-port disabled
        set snmp-index 56
    next
end

6) By default internal interface is set to DHCP mode, but here it is configured in static mode.

config system interface
    edit "internal"
        set mode static

        set ip 21.21.21.2 255.255.255.0
        set allowaccess ping https ssh
        set type physical
        set secondary-IP enable
        set snmp-index 55
            config secondaryip
                edit 1
                    set ip 192.168.1.99 255.255.255.0
                    set allowaccess ping https ssh
                next
            end
        next
    end

 - Make sure FortiSwitch and FortiGate can reach each other and make sure services like NTP, capwap, LLDP, ICMP, are allowed.

Helpful Commands on FortiSwitch:

get system interface
== [ internal ]
name: internal mode: static ip: 21.21.21.2 255.255.255.0 status: up type: physical mtu-override: disable

get sys arp
Address Age(min) Hardware Addr Interface
21.21.21.1 0 00:12:e2:0f:5f:e6 internal

execute ping 21.21.21.1
PING 21.21.21.1 (21.21.21.1): 56 data bytes
64 bytes from 21.21.21.1: icmp_seq=0 ttl=64 time=1.6 ms
64 bytes from 21.21.21.1: icmp_seq=1 ttl=64 time=1.2 ms

diagnose sys ntp status
synchronized: yes, ntpsync: enabled, server-mode: disabled

ipv4 server(11.11.11.1) 11.11.11.1 -- reachable(0xff) S:1 T:47 selected
server-version=4, stratum=3
reference time is e8202c2a.69cd1b6f -- UTC Tue May 30 08:02:50 2023
clock offset is 0.001227 sec, root delay is 0.218719 sec
root dispersion is 0.010483 sec, peer dispersion is 48 msec

diagnose switch trunk summary

Trunk Name Mode PSC MAC Status Up Time
________________ _________________________ ___________ _________________ ___________ _________________________________

fortilink static(isl) src-dst-ip E8:ED:D6:CB:67:61 up(1/1) 1 days,18 hours,49 mins,12 secs

execute switch-controller get-conn-status

Get managed-switch S148Fxxxxx connection status:
Connection: Connected
Image Version: FG200F-v7.2-build1396
Remote Address: 11.11.11.1
Join Time: Tue May 30 00:06:53 2023
DTLS Version: DTLSv1.2

 Helpful commands on FortiGate:

execute switch-controller get-conn-status
Managed-devices in current vdom root:

FortiLink interface : port3
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME NAME
S148FFxxxxx v7.2.3 (434) Authorized/Up 3 21.21.21.2 Tue May 30 00:06:53 2023 -

Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3
Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 64)

execute switch-controller diagnose-connection