I am new to Fortinet but a long time security / networking administrator. I recently acquired a FortiGate 40F, FortiSwitch 108F and a FortiAP 221 to test it out and learn about Fortinet.
I am running into a stupid problem that I can't understand:
I would like to create VLANs on both FortiSwitch and FortiGate so that FortiGate is the gateway and DHCP-server on these VLAN networks. Furthermore, I would like to use the VLANs on the FortiSwitch so that I can use multiple ports on the switch on these VLANs, say port 1-4 has native VLAN accounting_VLAN and port 5-8 has VLAN printer_vlan, etc.
I would also like to use 1 or more ports on the FortiGate on these VLANs if needed. But this does not seem to be possible, to create a VLAN and then tag the VLAN on both FortiGate and FortiSwtich ports?
From what I can see now, if using VLANs on the FortiSwitch, I can't use these VLANs on the FortiGate ports and use the FG ports for connecting devices to the VLANs that I use?
High Level overview of what I am trying to do:
1. Create VLAN accounting_VLAN(VLAN ID=10) and office_VLAN(VLAN ID=20) on FortiGate with IP-address and DHCP enabled etc. so that the Fortigate is the gateway for the VLAN network.
2. Use the accounting_VLAN on FortiGate ports so that devices can be plugged into the FortiGate and assigned to one of these VLANs.(if FG-40F, then less ports to use, if 200F then more ports to use)
3. Connect FortiSwtich to FortiGate using Fortlink.
4. Trunk the accounting_VLAN on the trunk to the FortiSwitch
5. Use the accounting_VLAN ports on the FortiSwitch, for example ports 1-8 on accounting_VLAN and ports 9-13 on office_VLAN.
However, this doesn't seem to be possible from my testing different configurations? I can create VLANs on the FortiSwtich and tag them as native VLANs on different ports, but I can't use those VLANs on the FortiGate for creating a firewall/gateway interface to those VLANs.
When creating a FSW VLAN the "Create address object matching subnet" was checked by default. So I tested to remove the object that was automatically created and then the VLAN "CLIENT" was available in the Software switch. Quite weird experience and GUI logic to be honest, doesn't make it easy for admins to configure FGT and FSW devices this way :(
Hope this helps for all other people out there trying to do this pretty simple and normal setup on a Fortigate and Fortiswitch. ;)
From FGT's view (or config), Fortilink is one of hard-switches. You can see it in CLI under "config system virtual-switch". When a VLAN is in a hard-switch, the same VLAN can not be a member of other hard-switch or soft-switch.
I would also like to use 1 or more ports on the FortiGate on these VLANs if needed. But this does not seem to be possible, to create a VLAN and then tag the VLAN on both FortiGate and FortiSwitch ports?
perhaps an annoying question, but why?
i personally just say it isn't possible, even though im not 100% sure. once you go FortiSwitch you use the FortiSwitch and don't mix and match VLANs with the FortiGate for access.
Well, now I have a FortiGate 40F so I don't loose too many ports, but if I get a bigger FortiGate with more ports, those ports can become virtually unusable when using FortiGate + FortiSwitch and that just feels wrong and stupid if i can't be done. :(
yeah ok, i get your reasoning. Fortinet seems to be moving away from the FortiGate models with lots of interface in general is my observation.
and sure you waste some, but in general i don't see it as that much of an issue. i do understand your point, but i would accept just provide enough FortiSwitches for the access ports and build a large enough link aggregate between the FortiGate and the switches.
1. create your two VLan IDs with blank IP (0.0.0.0/0.0.0.0)
2. assign the vlans to their respective ports either as native or trunked On FG: 1. remove the hardware switch ports from any attached interface. 2. create new interface/type/software switch for each vlan. 3. add the members/ports and the associated vlan you want to traverse those ports. 4. configure the IP/Netmask and the DHCP Server options and any other settings you want for that software switch interface/vlan.
One caveat I read that using software switch is not recommended due to possible performance hits.
I just tried this on one of my set ups and it didn't work properly. Looks like we can only add one fortiswitch created vlan into each software switch. So in doing so, you will need to create two software switch. Only issue with that is, it looks like you may need to connect two patches to the fortiswitch so you can trunk both of the vlans to the switch. So I would just create one software switch for one particular vlan. Then you can connect devices for that vlan onto the fg and fs. Then create a separate vlan on the fs for the second vlan with the proper IP and dhcp settings. Then assign the vlans to the correct ports on the switch.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.