Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ErikW
New Contributor

FortiGate + FortiSwitch - Ports don't intergrate. Am I missing something?

I've been using Fortigate for years, finally got a Fortisiwtch to add to my system, and it doesn't do what I thought it did.  Maybe I am missing something, so I thought I'd post here to see. (support was no help).

 

When you add a Fortiswitch to a Fortigate, it does not give you more ports to work with, it gives you a DIFFERENT set of ports to work with.

 

In my setup, I have a bunch of VLANS - I then have a few physical ports on the firewall that are VLAN trunk ports (all the VLANs are beneath it).  I currently run those ports to some HP switches where I can then trunk to a server or send a specific vlan.

 

I assumed adding a fortiswitch would allow me to do the same, but I can't.   The fortiswitch REQUIRES me to make a new set of VLANS  - they can use the same TAGS, but will not talk to the Fortgate VLANS.  The new Switch VLANS can ONLY be used in rules, and not in anything like a software switch.   So no linking to existing networks, requires all new IP ranges. Can't link a SSID.

 

I'm almost thinking I need to run 2 cables from the FG to the FS - 1 for control, and one as a VLAN trunk and just use the common GUI for ease of management, but treat them as 2 separate systems.

 

Does anyone have any better ideas?

 

6 REPLIES 6
boneyard
Valued Contributor

they integrate well enough if you start using them from the start (or migrate everything once you add them) and primarily use the FortiSwitch for your ports, not longer your FortiGate.

 

that is how it is, no better news for you.

 

i do understand what you were hoping for and it would have been awesome but that requires a whole different level of engineering and possible issues.

ac1
Contributor II

You must use the FortiLink port and Software Switch for propagate the vlans on others ports of FortiGate.

khalavak
New Contributor II

Hello @ac1 

Can you please elaborate on how to use the FortiLink port for VLANS and then propagate them on other ports on FortiGate using Software switch?

 

ac1
Contributor II

Hi Khalavak,

Respect these steps:

1- create softwarw switch for each vlan

2- assigne the ip on the software switch

3- create vlan on fortilink, do not assigne ip or other settings

4- add vlan to software switch

 

The fortilink propagate the vlans on each fortiswitch.

khalavak
New Contributor II

Hello,

can you show some examples because that doesn't seem to work the way I thought it would work? Creating a software switch doesn't require a VLAN ID to be used for the switch. Then I get duplicate name conflicts when ny software switch name and VLAN name conflicts so have to use slightly different names. 

 

1. Create software switch: Ok this works, I can create a software switch that "represents" the VLAN that I will be making in the later step, but now just with IP-address and no VLAN IDs tagged. 

 

2. IP-address added to the software switch works as for any interface in Fortigate. 

 

3. Not sure what you mean here with "Create VLAN on Fortilink". I assume you mean creating the VLAN on the FortiGate and adding the software switch to the VLAN?

 

4. When adding the VLAN to the FortiSwitch, I have to use a different name than the one used on the FortiGate, which is very confusing and odd and **bleep**edup in my opinion. Creating VLANs and assigning tagged/untagged to interfaces should not be this complicated on a modern firewall!????

 


@ac1 wrote:

Hi Khalavak,

Respect these steps:

1- create softwarw switch for each vlan

2- assigne the ip on the software switch

3- create vlan on fortilink, do not assigne ip or other settings

4- add vlan to software switch

 

The fortilink propagate the vlans on each fortiswitch.


    edit "CLIENT_vlan10"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh http fabric
        set type switch
        set device-identification enable
        set lldp-transmission enable
        set role lan
        set snmp-index 10
        config ipv6
            set ip6-send-adv enable
            set ip6-other-flag enable
        end
    next
    edit "CLIENT"
        set vdom "root"
        set allowaccess ping https ssh http
        set device-identification enable
        set role lan
        set snmp-index 11
        config ipv6
            set ip6-send-adv enable
            set ip6-other-flag enable
        end
        set interface "CLIENT_vlan10"
        set vlanid 10
    next
    edit "CLIENT_vlan"
        set vdom "root"
        set allowaccess ping https ssh snmp http
        set device-identification enable
        set role lan
        set snmp-index 12
        config ipv6
            set ip6-send-adv enable
            set ip6-other-flag enable
        end
        set interface "fortilink"
        set vlanid 10
    next 
end

 

Here is an example of config for CLIENT interface with the setup you described, does it look oK?

 

-kim

 

ac1
Contributor II

3. Create vlan on FortiLink:

Select Type= "VLAN"

Select Interface= "fortilink"

IP/Netmask= 0.0.0.0/0.0.0.0

 

4. In Software Switch:

Interface members: Add the VLAN

 

The goal is to propagate the vlan on FortiSwitch and in other ports of FortiGate. From now you are able to assigne vlan on each port of FortiSwitch. The tag and untagged vlan on "trunk" ports in fortilink doesn't exitst in FortiGate.

In FortiSwitch there are ports dedicated for fortlink connection:

Devices Managed by FortiOS | FortiSwitch 7.0.2 | Fortinet Documentation Library

 

But you must define the correct topology network for your environment:

http://docs.fortinet.com/document/fortiswitch/7.0.2/devices-managed-by-fortios/617516/determining-th...

 

 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors