When a FortiSwitch is controlled by a FortiGate, FortiGate sends configuration commands to FortiSwitch through REST API. FortiGate asks for information, too, through HTTPS. 

FortiGate needs to have admin access to FortiSwitch. This access is done by HTTPS.

FortiSwitch needs to have at least HTTPS enabled on its internal interface to allow be controlled by FortiGate.

If it is disabled, it is possible to get the next error with the command 'get-sync-status'.

'Rest API login failed with error 28' means that FortiGate could not log in to FortiSwitch through its rest API.

To fix this,  enable HTTPS on FortiSwitch's internal interface manually, either via SSH or console interfaces.

config system interface

    edit "internal"

        set allowaccess ping https ssh

    next

end

In the scenario where the FortiGate is reachable via another interface, which is not a FortiLink interface, be sure to enable HTTPS admin access on that interface that the firewall uses to reach the managed FortiSwitch.

This error may also be seen after modifying the HTTPS port on FortiSwitch. This happens because FortiGate attempts to contact the FortiSwitch through HTTPS TCP port 443. See this article: Technical Tip: The importance of no modifying https port when FortiSwitch is managed by FortiGate..

Another cause of the issue could be the trusthost configuration on the FortiSwitch. Check the output below on the FortiSwitchCLI and remove the trusthost config or add the FortiGate subnet.

FSW# show full-config system admin