Hi, I'm trying to configure a LAG on a FortiGate 40F (running on version 6.4.14 at this time (if an upgrade is required that's ok)) for connection to a FortiSwitch S124FP. I've already configured a LAG on the switch, I just need to get it on the firewall, too.
I found a YouTube video showing how to configure a LAG (https://www.youtube.com/watch?v=SGCSu5iXID4), but I seem to run into the immediate problem that all of my numbered ports on the firewall are already configured into a "Hardware switch" and are not available for configuring into the LAG. The "Hardware switch" will not allow for deletion or removal of all ports, and removing any of the ports from it results in immediate loss of internet connection through the firewall (though I remain able to connect to the web interface).
The firewall has 3 normal numbered ports (1-3), a lettered port (A), and a WAN port. I'm assuming the lettered port is not available for a normal LAG, or at the least not if I also wish to use the FortiLink feature to control the FortiSwitch. So I guess very simply, how do I get the remaining ports into a LAG for use with the switch? (Please note I'm more comfortable with the GUI than CLI, but if there are things that can only be done through the CLI, then so be it.)
(I want the LAG for increased throughput, not redundancy. This firewall & switch, along with a couple of FortiAPs, are going to be used at a conference in a couple of weeks where we're going to have a lot of people connected, wireless and physically, with a lot of internally routed traffic and large data transfers happening. I want to ensure that the bandwidth between the devices will not be the bottleneck.)
Edit: Meant to include a screenshot.
Solved! Go to Solution.
You should be able to break those three ports and make 2 and 3 individual as long as you keep "lan" hard-switch with only 1. the lan is used for the default policy1 and DHCP server (edit 1) so it would take more work to remove it. So I suggest leave it there until you need to use 1 port. I regularly do this with CLI but you should be able to do with GUI as well.
Also A port is the only member of "fortilink" LAG port by default after 6.4. You can delete the fortilink if you don't have a play to use switch-controller for FSWs. You have to tweak the ntp config not to serve to fortilink interface and remove DHCP server (edit 2) for fortilink, then you can remove it. Then A port is alone and you can make it as wan or lan port or even a LAG member.
Toshi
You should be able to break those three ports and make 2 and 3 individual as long as you keep "lan" hard-switch with only 1. the lan is used for the default policy1 and DHCP server (edit 1) so it would take more work to remove it. So I suggest leave it there until you need to use 1 port. I regularly do this with CLI but you should be able to do with GUI as well.
Also A port is the only member of "fortilink" LAG port by default after 6.4. You can delete the fortilink if you don't have a play to use switch-controller for FSWs. You have to tweak the ntp config not to serve to fortilink interface and remove DHCP server (edit 2) for fortilink, then you can remove it. Then A port is alone and you can make it as wan or lan port or even a LAG member.
Toshi
Thanks, this is good to know I can use port A for something other than the FortiLink. While I can see the benefits there, at this time I'd kind of rather increase the uplink bandwidth.
If possible, I do want to get port 1 into the LAG as well. I have been successful in removing 2, 3, and A from their original groups and have added them to a new LAG, gave the LAG the same settings that I could see in the Hardware switch (minus an STP setting as that's not available in the LAG), and even configured a DHCP scope (at a different IP range because it can't be the same as the original).
However, it doesn't seem to work. I don't get an IP lease out of it, and manually setting my computer's IP while connected to one of the 3 ports still will not bring up the firewall's interface.
Not sure why configuring a LAG on this firewall has to be so much more complicated than the switch. XD
If all you know is CLI, I'm willing to go that route. I'm not 100% unfamiliar with the concept. I've never used FortiNet's, but I have used Cisco's in the past, though mostly for basic tasks.
Ok, so I think I finally have it. I had to change the switch LAG settings, though. Not sure I fully understand the differences between the different modes? Static vs Active LACP vs Passive LACP. I guess maybe I (wrongly?) had in my head that Active and Passive were redundancy modes and not actually bandwidth increasing? But anyway, setting the switch's LAG mode to Active allowed it to work. Then it was matter of unplugging and plugging in various cables so I could switch between networks on the firewall as it wouldn't let me use an IP for the LAG in the same network as the Hardware switch. After switching over the firewall policy and deleting the DHCP and IP scopes from it, it then let me delete the Hardware switch, add port 1 to the LAG, and then I was able to change the IP back into the range I wanted.
So thank you for your help. Obviously I had something misconfigured from the start and that was where some of my difficulties were stemming from.
That's not how LAG works or is desiged for. A LAG is a connection between ONLY two devices. In your case the one side is the 40F, and the other side is like a switch that supports LAG/LACP. From there all VLANs on the LAG can be spread to each port as "access" ports. This way, the connection between the FGT and the switch has 2G or 3Gbps in bandwidth.
Toshi
I'm unsure what part of my post you are referring to with the opening line of "That's not how LAG works or is desiged for"?
"manually setting my computer's IP while connected to one of the 3 ports"
I thought you directly connected your computer to 1, 2 or a.
Created on 07-07-2023 09:49 AM Edited on 07-07-2023 09:50 AM
Ok, yes, sorry, I did do that, but that was after trying through the switch itself (I was direct connected to the switch originally).
Edit: When I get a chance, I'll try it all over again. I may just factory reset everything and try from scratch. For all I know, I've changed a setting somewhere that's interfering.
The command lines you need to run to check it is below:
diag netlink aggregate list
diag netlink aggregate name <name>
User | Count |
---|---|
2675 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.