I am new to managed fortiswitch configuration.
I currently have 60F Fortilinked to manage a 108E with the B port to the switch. Everything seems to be working, however I am worried about bandwidth issues over just the one link. Well, I tried to also connect the A port to the same switch, but the firewall froze up. I assume that having more than on fortilink to the same switch caused some sort of conflict. So, suggestions on how to expand the bandwidth between the firewall and the switch? Is adding an additional fortilink connection correct (and I just screwed it up), or would I be better off adding a connection between the switch-internal vlan and one of the firewall internal interfaces?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
When it comes to expanding the bandwidth between your Fortinet Firewall and the managed FortiSwitch, there are a few options to consider.
1. Multiple FortiLink Connections: The FortiLink feature allows you to establish a secure connection between the firewall and the FortiSwitch. However, if connecting both the A and B ports of the FortiSwitch to the same switch caused the firewall to freeze up, it suggests a conflict or misconfiguration.
- Check the configuration: Ensure that the FortiLink settings on both the firewall and the switch are properly configured. Confirm that the switch port is configured as a trunk port and that the firewall's FortiLink ports are configured as switch mode interfaces.
- Verify switch compatibility: Double-check if the switch supports multiple FortiLink connections. Some switches may have limitations on the number of FortiLink connections they can handle.
- Consider firmware updates: Make sure that both the firewall and the switch are running the latest firmware versions. Firmware updates often include bug fixes and improvements that can address compatibility issues.
2. Link Aggregation (LAG): Another option to increase bandwidth is by implementing link aggregation or LAG. LAG allows you to combine multiple physical interfaces into a single logical interface, providing increased throughput.
- Verify switch support: Check if your switch supports link aggregation and the specific LAG protocols (such as LACP or static) that the Fortinet devices require.
- Configure LAG on the switch: Follow the switch's documentation to configure LAG and assign the required ports. Configure LACP or static LAG mode depending on the capabilities of your Fortinet devices.
- Configure LAG on the firewall: On the Fortinet Firewall, configure the LAG interface using the aggregated physical ports. Adjust the firewall's network interface settings to use the LAG interface for the desired traffic.
3. VLAN Trunking: If adding additional FortiLink connections or link aggregation is not feasible, you can consider using VLAN trunking to expand the bandwidth between the firewall and the switch.
- Create VLAN interfaces: Configure VLAN interfaces on both the firewall and the switch. Assign the VLAN interfaces to the desired network segments.
- Configure VLAN tagging: Enable VLAN tagging on the switch port connected to the firewall. Configure the firewall's interface connected to the switch as a VLAN trunk, allowing traffic from multiple VLANs to pass through.
- Adjust firewall policies: Update the firewall policies to allow traffic between the different VLANs and apply the appropriate security measures.
A typical FortiLink using type Aggregate is only going to allow LACP when connected to a pair of MCLAG-enabled switches. The "FortiLink split interface" only works to a pair of MCLAG switches. FortiLink can alternatively be a configured on a software-switch (possibly a hardware-switch) to allow multiple direct FortiSwitch connections in a hub/spoke design centered around the Gate being the hub (this isn't a reconnected design due to potential L2 bottlenecks).
However, in v7.2 a new feature was released to allow the FortiGate Software Switch, enabled with FortiLink, to have an aggregate group added to the software switch for connecting FortiSwitch using multiple ports and taking advantage of LACP with FortiLink.
I have not tried this yet but hope to shortly. Below is a link to the documentation for those that are interested.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.