Combine PoE and internal interfaces on Fortigate60D POE
I am new to Fortigate firewall management.
There is a lot to like about the 60DPoE but one thing I don't is Joining the 2 PoE interfaces to the internal switch.
What's the best way to combine the 2 PoE (InternalA, InternalB) and Internal (5 port switch).
I bought the 60D PoE because it had not only a configurable firewall but 2 PoE ports which would allow me to remove a Linksys PoE switch needed for 2 IP cameras.
The NVR is of course on the 5 port internal switch interface but the 2 PoE ports are required to be on different subnets.
The system works fine as long as I continue to run the IP cameras on a separate PoE switch using the internal 5 ports (all on the same subnet), but I need to get the 2 internalA internalB PoE ports mapped into the same subnet as the NVR. It seems like Fortinet would have an easy way to merge these interfaces. The 60D is basically configured to the factory default settings.
Thank you kindly for you effort and reply. Do you think it is hardware bound or could it work in 5.6.3? I have that running but I do not seem to be able to couple the 2 ports to my hardware switch...
Every configuration with a "software switch" I seem to be bind the maximum throughput to 50Mbps (the theoretical IPS throughput: Firewall 1.5 Gbps, IPS 50Mbps, NGFW 30Mbps, Threat Protection 25Mbps). I never get any throughput of 1.5Gbps at all (even without additional features). So I wanted to bridge my SSIDs to a hardware switch and see what that would work out like. But I think I will not be able to...
I think it's because of hardware design. Newer software wouldn't change it.
For the performance issue, are you seeing a better number when you hook up the same test device to one of 5 non-PoE ports w/ haredware-switch? If not, it wouldn't change either even if you could put it in the hard-switch.
No, haven't. That would be the next step. But I have a running environment that's not easy to change. I wonder what and how fortinet came up with the 1.5 Gbps throughput... that would be ~187.5 Mbps... would the maximum really be 50Mbps (per interface)? I do only use plain firewalling and have 1 NAT overload internet address...
Wanted to let you guys know with FortiOS 5.6.3 and two FortiAP 221Cs I have been able to join all PoE ports into the "internal" hardware switch. Once you remove all referenced settings (Policies, DHCP settings) from the "internalA" and "internalB" ports you can add them to the hardware switch. The only caveat is you need to use CLI to enable PoE power. For some reason when joining them to the hardware switch the power turns off and you can't turn it on within the GUI. Commands below:
config system virtual-switch
set poe enable
set poe enable
Once you get back to the top level prompt in CLI the settings should apply and you should see your APs start powering up.
I then made some VLAN interfaces on the "internal" hardware switch and SSIDs with those associated VLANs to control traffic. Not as secure as using tunnel mode but my performance went to what was expected for our internet pipe. Stats from my testing are below:
Internet Pipe: 130d/25up
dtls-policy set to clear text: 60d/25up
dtls-policy set to ipsec: 15d/15up
dtls-policy set to dtls: 4d/4up
As you can see the 60D has nowhere near the processing power to handle true DTLS tunnel encryption even with the more efficient IPsec protocol.
I hope this helps everyone. Next is to test the 60E PoE to see how the performance stacks up.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.