Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zee
New Contributor

Layer 2 ports on Fortigate firewall

Hi everyone.

I am new to Fortigate firewall,  coming from Juniper SRX back ground.

This is what I am trying to accomplish:

 

End hosts--SW--trunk----Port2-Fortigate FW

 

Port 2 should be layer 2 trunk port, accept tagged traffic for vlan 20

Vlan 20 should be defined and have IP 2.2.2.2/24

 

How do I proceed?

 

Additional info:

Platform: VM (Fortigate-VM64, version v6.2.0 ,build 0866)

 

Thanks and have a nice weekend!!

 

 

1 Solution
hubertzw
Contributor III

Hi Add vlan20 interface as part of port2 and assign IP. You will have ability to add more vlans in the future

View solution in original post

5 REPLIES 5
hubertzw
Contributor III

Hi Add vlan20 interface as part of port2 and assign IP. You will have ability to add more vlans in the future
zee
New Contributor

Thanks for your response.

Just to be clear about the tagging logic on Fortigate firewall.

1) On other vendors, we have to specifically tell the FW treat the port as tagged port.

2) On Fortigate FW, there is no such setting, rather the presence of multiple vlans on a single port, tells the FW to use tagging i.e no we do not need to tell FW to use tag via some specific config, just put vlans on a port will do the trick.

 

Have a good weekend!!

Leen
New Contributor III

Every Fortigate VLAN interface is seen as a physical interface and does need

- firewall routing

- firewall policies

You can combine interfaces into a zone (depending which Forti OS version you have). This will limit the number of policies you need to manage.

 

zeromahesh

zee,

 

Fortigate VLAN Interface / Tagged Interface logic is same as Cisco / PaloAlto etc. In Cisco we do create Layer 3 Sub Intefaces with VLAN tags. In PaloAlto also we do the same thing. In Fortgate there is no so called thing like Sub Interface but logic is the same. That is create VLAN Interface with a VLAN tag and bind it to Physical Port. Then it works as a Sub Interfaces in Cisco, PaloAlto and Checkpoint.

Please see the below steps.

 

Configuration steps  from the GUI :

 

1) Go to System -> Network and select 'Create New'.

 

2) Give a Name to the VLAN interface.

 

3) Choose the physical interface on which to attach the VLAN.

 

4) Select 'Type' as VLAN.

 

5) Give the desired VLAN ID.        ....all other fields are depending on your other requirement (IP address, ping server...)

 

 

 6) Select 'Apply'.

 

7) Go to System -> Network, select the blue arrow to expand the physical port and the VLAN will be displayed.

 

Configuration steps  from the CLI

 

# config system interface     edit "My_VLAN_100"         set vdom "<vdom name>"         set ip a.b.c.d  e.f.g.h         set interface "port1"         set vlanid 100     next end
ede_pfau
Esteemed Contributor III

@zee:

VLAN ports in FortiOS always are tagged, there is no additional step to take to connect a FGT to a VLAN trunk.


Ede

"Kernel panic: Aiee, killing interrupt handler!"