I've been using Fortigate for years, finally got a Fortisiwtch to add to my system, and it doesn't do what I thought it did. Maybe I am missing something, so I thought I'd post here to see. (support was no help).
When you add a Fortiswitch to a Fortigate, it does not give you more ports to work with, it gives you a DIFFERENT set of ports to work with.
In my setup, I have a bunch of VLANS - I then have a few physical ports on the firewall that are VLAN trunk ports (all the VLANs are beneath it). I currently run those ports to some HP switches where I can then trunk to a server or send a specific vlan.
I assumed adding a fortiswitch would allow me to do the same, but I can't. The fortiswitch REQUIRES me to make a new set of VLANS - they can use the same TAGS, but will not talk to the Fortgate VLANS. The new Switch VLANS can ONLY be used in rules, and not in anything like a software switch. So no linking to existing networks, requires all new IP ranges. Can't link a SSID.
I'm almost thinking I need to run 2 cables from the FG to the FS - 1 for control, and one as a VLAN trunk and just use the common GUI for ease of management, but treat them as 2 separate systems.
Does anyone have any better ideas?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
they integrate well enough if you start using them from the start (or migrate everything once you add them) and primarily use the FortiSwitch for your ports, not longer your FortiGate.
that is how it is, no better news for you.
i do understand what you were hoping for and it would have been awesome but that requires a whole different level of engineering and possible issues.
You must use the FortiLink port and Software Switch for propagate the vlans on others ports of FortiGate.
Hello @ac1
Can you please elaborate on how to use the FortiLink port for VLANS and then propagate them on other ports on FortiGate using Software switch?
Hi Khalavak,
Respect these steps:
1- create softwarw switch for each vlan
2- assigne the ip on the software switch
3- create vlan on fortilink, do not assigne ip or other settings
4- add vlan to software switch
The fortilink propagate the vlans on each fortiswitch.
Hello,
can you show some examples because that doesn't seem to work the way I thought it would work? Creating a software switch doesn't require a VLAN ID to be used for the switch. Then I get duplicate name conflicts when ny software switch name and VLAN name conflicts so have to use slightly different names.
1. Create software switch: Ok this works, I can create a software switch that "represents" the VLAN that I will be making in the later step, but now just with IP-address and no VLAN IDs tagged.
2. IP-address added to the software switch works as for any interface in Fortigate.
3. Not sure what you mean here with "Create VLAN on Fortilink". I assume you mean creating the VLAN on the FortiGate and adding the software switch to the VLAN?
4. When adding the VLAN to the FortiSwitch, I have to use a different name than the one used on the FortiGate, which is very confusing and odd and **bleep**edup in my opinion. Creating VLANs and assigning tagged/untagged to interfaces should not be this complicated on a modern firewall!????
@ac1 wrote:Hi Khalavak,
Respect these steps:
1- create softwarw switch for each vlan
2- assigne the ip on the software switch
3- create vlan on fortilink, do not assigne ip or other settings
4- add vlan to software switch
The fortilink propagate the vlans on each fortiswitch.
edit "CLIENT_vlan10"
set vdom "root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https ssh http fabric
set type switch
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 10
config ipv6
set ip6-send-adv enable
set ip6-other-flag enable
end
next
edit "CLIENT"
set vdom "root"
set allowaccess ping https ssh http
set device-identification enable
set role lan
set snmp-index 11
config ipv6
set ip6-send-adv enable
set ip6-other-flag enable
end
set interface "CLIENT_vlan10"
set vlanid 10
next
edit "CLIENT_vlan"
set vdom "root"
set allowaccess ping https ssh snmp http
set device-identification enable
set role lan
set snmp-index 12
config ipv6
set ip6-send-adv enable
set ip6-other-flag enable
end
set interface "fortilink"
set vlanid 10
next
end
Here is an example of config for CLIENT interface with the setup you described, does it look oK?
-kim
3. Create vlan on FortiLink:
Select Type= "VLAN"
Select Interface= "fortilink"
IP/Netmask= 0.0.0.0/0.0.0.0
4. In Software Switch:
Interface members: Add the VLAN
The goal is to propagate the vlan on FortiSwitch and in other ports of FortiGate. From now you are able to assigne vlan on each port of FortiSwitch. The tag and untagged vlan on "trunk" ports in fortilink doesn't exitst in FortiGate.
In FortiSwitch there are ports dedicated for fortlink connection:
Devices Managed by FortiOS | FortiSwitch 7.0.2 | Fortinet Documentation Library
But you must define the correct topology network for your environment:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.