Thank for the reply!

I'm looking at Fortinet documents but I don't see how to connect over IP, always use Fortilink over Fortiswitch. My network scheme is,

Fortigate <--> switch(HP/cisco/...) <--> Fortiswitch

and I don't understand how I can connect over IP in this situation.

fortimonkey wrote:

You can manage the FortSwitches via FortiLink over IP protocol, it doesn't matter about the interconnecting L2 infrastructure as FortiSwitch management is done on L3 https://docs.fortinet.com...manageFSWfromFGT54.pdf

I'm facing the same issue - I have my FGT connected to a Cisco stack with a FortiLink LAG. The FSW is then connected with a LAG from Cisco stack, on which all VLANs are allowed and the default VLAN (1) is the "native" VLAN (untagged).

This way, the FSW is not getting recognized by the FGT.

Can someone explain how FortiLink actually works? Is it layer 2 or layer 3?

On which interface is FortiLink information transmitted? Is it the "fortilink" interface itself (the one "Dedicated to FortiSwitch), or the below interface "vsw.fortilink"?

Thanks for any help/suggestions.

Flavio.

Hi,

I haven't tried it with LAG but I'll tell you something if it helps.

I understand that without LAG, with a configuration without stack with independent switches works correctly, right?

One problem I had in my case is that my FSW model didn't have the autodiscover enabled by default and I never found the FGT via L3. I had to activate it by CLI in FSW:

set auto-discovery-fortilink enable

However, fortilink in L3 has some limitations regarding a direct L2 connection. Similarly, it should be FOS 6.0.0 or higher. For example, the following options are not available in L3:

- Active-Active Split MCLAG from FortiGate to FortiSwitch - Access VLAN - DHCP Server on VLAN defined on FGT

On the issue of interface, I understand that "vsw" is the data transmission VLAN. From the latter you can create as many as you want. On the other hand, the interface dedicated to fortiswitch is the CAPWAP channel. Even if you don't pay much attention to me ;)

I'm sorry I'm not helping you anymore.

Daniel.

Ciao Daniel - thanks for your feedback.

So when FSWs are directly connected to FGT they're managed on L2, whereas L3 management occurs (or has to be configured) when they are connected through some other network devices.

This makes it clear that the 3 options you mention are not available anymore, as they're L2 functions/features...

Sadly, my design will not work - or better: it would work if I switch to L3 management completely.

BR,

Flavio.

Hi Flavio, hi Daniel,

keep in mind you have to option if you have 3rd party switches in your topology especially between FGT and FSW (most likely Core/Distribution switches right?):

1. Use the FortiSwitch in Standalone Mode. This gives you the full feature set and you can use your switch-models full feature set (even in some cases L3 features). You may also consider the new FortiSwitch Cloud Management if you want to manage them centrally.

2. Use FortiLink.

How it works: FortiLink is the base for all the magic the Telemtry/Fabric and Switch Controller of the FGT can do. It is designed as a L2 protocol so ideally the FSW is directly connected to the FGT and/or in the same broadcast domain.

Anyway since FSW-OS-6.x and FortiOS 6.x we have the opportunity to tunnel the FortiLink Protocol over a L3 network with CAPWAP which behaves much like an AP in Tunnel-Mode does.

You can find references here: https://docs.fortinet.com/uploaded/files/4464/managed-fortiswitch-601.pdf (p.23)

Bare in mind that this is only tunneling the FortiLink connection - no data! So you still need to configure trunks/tagged interfaces as uplinks for the data streams.

Hope this helps,

Daniel

Hi Daniel.

In my case I can't yet upgrade to FOS 6 so I have to remain with L2 setup I believe. This will simply mean that if the cluster master would move over to the firewall connected to Cisco switche, I would not be able to manage the FSW.

Am I right?

F.

Yes, then using Standalone Mode (maybe with FortiSwitch Cloud) is what you should aim for (for now).

Do you mean the stack master? Not sure what your actual setup is and how your Cisco Switches are configured. You might consider consulting a partner or local SE here.

P.S. thinking of it... do you use VLAN1 on that stack for something else than native?

Hi Daniel.

I'm already in touch with my local FSW Fortinet SE and he told me that my design is not supported.

VLAN1 in my Cisco stack is actually not needed/used - why do you ask?

F.