Hello,
We are implementing a FortiGate 40F for our office environment. We are trying FortiSwitches to see if the add some value compared to other brands.
Three benefits I can think of is:
FortiLink
Visibility
FortiNAC
The problem:
The FortiSwitch is linked to the FortiGate with fortilink and everything seems to be running fine from the FortiGate point of view. I can see the switch, It shows mac adresses and devices from Ports and so on. But when i change a vlan from the WiFi & Switch Controller -> FortiSwitch Ports -> Native Vlan or Allowed Vlans, it is not updated on the FortiSwitch. The first time i changed some vlans it actually did change on the switch, but since then i need to manually change the vlans on the switch also.
Same happens when i tried to enable FortiNAC on some ports. In the gui it reflects the fortiNAC Policy with the correct VLAN but on the switch nothing changes.
Both Switch and FortiGate is running firmware: 7.0.2.
Maybe I misunderstood how FortiLink should work ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Blacktron,
How do you mean by "Enabling FortiNAC on some ports"? There is a NAC function on the FortiGates but, it is not FortiNAC. FortiNAC is a separate Fortinet product that works in a somewhat different manner in how it changes the vlans on the FortiSwitches.
The practice is still similar, the Fortigate profiles the device on the port (Device Pattern). If the device matches the profile, then it makes the changes that are defined in the NAC policy. Chances are the device being plugged in may not be matching the device pattern and, therefore, not getting the vlan change.
The FortiLink in this case, is just the management link between the FortiSwitches and the FortiGate. It also acts like a switch trunk port to allow all vlans to go to the FortiGate.
If this information was helpful please do not forget to hit the thumbs-up button!
I am sorry for the mixup. I am new to Fortinet and the features. I meant NAC. Setting NAC mode on the ports and defining a NAC Policy. I made a policy matching a specific MAC adress for test. The main issue was that the VLAN is not updating on the switch when defining the Native VLAN in static mode or in NAC mode when the policy is matched.
I was going to post some screendumps but now it actually works. The FortiGate is updating the switch configuration through FortiLink. This hasnt been working until now.
Only thing missing now is that the NAC policy is showing 0 matched devices, but it configured the port correctly for the NAC policy.
And no....
It´s only working some times. I configured port 4 and 6 in NAC mode. I made a NAC policy to match the exact mac address of my printer ( home lab test setup ). When i wrote the last reply i put it in 4, and port 4 was given the VLAN 30 as per my NAC policy. When I put it in port 6, port 4 was removed from vlan 30 and port 6 was added to vlan 30 as expected.
But when i put it back in port 4 nothing happened and now, no matter what port i put it in, it doesnt work.
I noticed that when i connect to the switch via the GUI CLI console the connections times out. Sometimes within short time 15 seconds etc.
It seems like an unstable connection to the FortiSwitch? ( Nothing wrong with the cabling ). Does the FortiGate only send commands once to the switch, and if those for some reason is not recieved nothing more will happen? or does the FortiGate check the switch config regularly and correct it ?
I had had an issue with NTP in the beginning that i fixed. This caused a lot of issues.
It might be doing a polling action every so often. I would need to see what logging we can pull for the NAC function of the FortiGate so get better insight. How long have you left the device on the port since you moved it back to 4?
Hi Blacktron,
run a
diag debug report
on the switches CLI and also check what set of logs you can get from the FGT.
At least on the later firmwares you should also be able debug well and see the matching devices in the GUI of the NAC policies (somewhere on the upper right, a bit hidden)
This helped me when I set this up.
looks like EMS related, but it isn't really.
diagnose switch-controller mac-device nac known
Hope it helps.
Best regards,
Markus
Thanks for the replies. Useful commands.
I managed to get it stuck again. The following messages is incrementing, look at the number after VLAN. Port 6 is actually down(link down) and I put the printer in port 4, but for some reason the firewall is not updating this.
FW1 # diagnose switch-controller mac-device nac known
Vdom: root
MAC LAST-KNOWN-SWITCH LAST-KNOWN-PORT MATCHED-NAC-POLICY MAC-POLICY-ACTION LAST-SEEN FSW-ID COMMENTS
xx:xx:xx:xx:xx:xx S124XXXXXXXXXXXX port6 Correct Printer VLAN Correct Printer VLAN 95 2 auto detected @ 2021-12-08 13:05:23
FW1 # diagnose switch-controller mac-device nac known
Vdom: root
MAC LAST-KNOWN-SWITCH LAST-KNOWN-PORT MATCHED-NAC-POLICY MAC-POLICY-ACTION LAST-SEEN FSW-ID COMMENTS
xx:xx:xx:xx:xx:xx S124XXXXXXXXXXXX port6 Correct Printer VLAN Correct Printer VLAN 97 2 auto detected @ 2021-12-08 13:05:23
FW1 # diagnose switch-controller mac-device nac known
Vdom: root
MAC LAST-KNOWN-SWITCH LAST-KNOWN-PORT MATCHED-NAC-POLICY MAC-POLICY-ACTION LAST-SEEN FSW-ID COMMENTS
xx:xx:xx:xx:xx:xx S124XXXXXXXXXXXX port6 Correct Printer VLAN Correct Printer VLAN 115 2 auto detected @ 2021-12-08 13:05:23
After 10 minutes its still stuck, after 20 minutes it was correct on port 4.
you can also run a
diag ip arp list
to see the interface state and the known MACs on each port. The state can give you better information although more through a comparative manner.
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.