Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Chris32
New Contributor

Created on ‎04-08-2025 03:41 AM

Fortigate 60F in HA with two Fortiswitches 148F-FPOE 

Hello everyone,

I'm planning to set up two Fortigate 60F (with HA active/passive) and two Fortiwitchs 148F-POE.

Before the setup, I created a diagram and wanted to know if my topology was correct and i have questions.

Visio.png

- My configuration is correct ?
- Do I need to create a trunk between the two switches, or is it not necessary?
- Does FortiLink Split Interface need to be enabled? If so, on both FortiLink interfaces A and B of the main Fortigate ?

Thank you for your help.
Chris
Labels:
831
0 Kudos
3 REPLIES 3
atakannatak
Contributor II

Created on ‎04-08-2025 04:38 AM Edited on ‎04-08-2025 04:39 AM

Hi @Chris32 ,

 

For answers to your questions and to ensure seamless redundancy between your FortiGate HA pair and dual FortiSwitches, follow this design:

 

  • FortiLink Redundancy via MCLAG: Use MCLAG on the two FortiSwitches. This allows both switches to act as one logical FortiLink fabric from the FortiGate’s point of view. MCLAG requires both FortiSwitches to be interconnected via an ICL and configured properly for MCLAG peering.

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801194/deploying-mcl...

 

  • The split interface must be disabled, as it is required in a redundant setup.

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801208/transitioning...

 

  • FortiGate FortiLink Connection: Each FortiGate (A and B) should connect to both FortiSwitches. FortiGate A connects to SW1 (port1) and SW2 (port2). FortiGate B does the same. Configure these ports as part of a FortiLink, with redundant connections to each switch.

When a FortiGate fails, the FortiSwitches will continue to operate and maintain FortiLink with the secondary FortiGate (now active). MCLAG ensures that endpoints connected to the FortiSwitches maintain connectivity through whichever FortiGate is active.

 

Additionally, I’ve highlighted the necessary connections in a sample setup and shared them with you in the image below.

 

  • Blue connections represent MCLAG (ICL) links between switches, configured as trunks.
  • Red and green connections represent FortiLink connections from the active and passive firewalls to each switch, ensuring redundancy.

 

FortiSwitch Toplogy.jpg

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak
Atakan Atak
822
Chris32
New Contributor
In response to atakannatak

Created on ‎04-08-2025 05:28 AM

Hi Atakan Atak !

 

Thank you for your feedback.

If I'm not mistaken, it's not possible to use MCLAG with 148F-POE switches. Isn't that possible starting with the 200 series?

 

I'm new to Fortinet and wanted to do this configuration as simple as possible.

Thank you in advance for your feedback.

Chris

798
0 Kudos
atakannatak
Contributor II
In response to Chris32

Created on ‎04-08-2025 06:32 AM

Hi @Chris32 ,

 

As you pointed out, it does appear that the 148F models might not be supported. To be honest, I wasn’t aware of this either. However, just to be sure, it would be helpful to confirm whether the configurations from the previous references have also been applied on the FortiSwitch CLI side.

 

You can also find the full feature matrix in the article linked below, which lists all supported features:

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/025d119d-9412-11eb-b70b-005056...

 

In that case, the topology you mentioned would be the most suitable approach and aligns with best practices. Regarding your questions:

 

Q1-Your configuration is correct.
Q2/3-In this scenario, the only condition that affects the need for a connection between the switches depends on how you configure the split-interface setting:

 

  • If you plan to use your FortiLink connections in active-active mode (i.e., split-interface disabled), then a direct connection between the switches is not necessary.
  • However, if split-interface is enabled, and there is no connection between the switches, client traffic coming through the passive link may face connectivity issues.

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak
Atakan Atak
779
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.