Full stack Fortinet network (FGT, FSW, FAP) - anyone tried it out or implemented?
I am presently scoping a network refresh at an HQ. Needs aren't too crazy as most servers have been moved to the cloud, and will max out around 200 users. My primary plan was to use FortiGate's in HA, perhaps a FortSwitch at the edge using FortiLink, and then Cisco Meraki stacked switches at the core (most of office terminates to it), as well as lower-end Cisco Meraki for access switches. There will be 5-7 switches total. Cisco Meraki AP's are already in use which I was planning to keep, but more will be needed with the refresh. All switching will be PoE.
However, looking further into FortiLink, and after talking with Fortinet presales recently, I am intrigued by doing a full stack in Fortinet, with FortiLink used to manage border/edge, core and access, and manage APs. FortiManager and FortiAnalzyer would be used in this setup then, to match Cisco Meraki functionality and visibility as we scale it out across locations.
Has anyone tried this kind of 'full stack' Fortinet out yet? Any implementations done? Fortinet was confident they could come in considerably cheaper - which is always good - and I would have only 'one pane of glass' then to see the entire network. So as I said, it's intriguing, but I absolutely need the solution to be rock solid when it goes in, and I need it to be able to be done again and again over the next few years at additional locations worldwide.
I have a couple of clients running FortiAPs and FortiSwitches ... and have them set up in my home lab. AP management from the FortiGate is awesome. FortiSwitch management with 5.4.1 is now quite good... was a *itch in 5.2. Many of the switches now require 5.4 to be managed.
What I haven't been able to find in the FortiGate management of a FortiSwitch yet is the arp table from the switch... but I haven't looked all that hard.
I do not have multiple VDOMs set up on any FortiGate with FortiSwitch attached.
Dittos on the *itch bit in 5.2.x. In 5.4.1 it's pretty awesome. I've had a FSW-108D-POE at home off of a 60D-POE for nearly a year.
Read the document titled Manage FSW from FGT 54 ... and pay attention to the stacking section. With 5.4.1 only one switch is connected to the FortiGate on the port dedicated to FortiLink. The stacking section of that doc explains how to build a LAG on the FortiGate and enable stacking so that you can have the other end of your stack connected for failover in the event of a failure from that active.
FortiLink is not enabled on all ports of some switches by default ... the 48 port switches had FortiLink enabled from the factory only on the fiber ports.
LAG has to be built in CLI, no LAG between multiple switches (though I'm told that is coming).
No LAG on FortiLink ports (want more than a 1GB link, get switches with faster ports) ... hopefully this change will be coming.
I've got one in a 2-switch stack right now that's showing as offline, though it's still switching fine as a server and most of the desktops in this office are still talking fine. Support is looking into it so we're letting it float as is right now.
I've contemplated keeping the management ports connected as a back door from the FortiGate, though managing them away from the FortiGate could potentially create some issues... gotta discuss that with some engineers at some point.
Overall I'm liking the FortiSwitch and FortiAP management from the FortiGate. One last note... when upgrading FortiOS, be sure and read the release notes. On the home network I failed to upgrade the switch and AP before the Gate from 5.4 to 5.4.1... and it created some craziness that was resolved once the managed devices were upgraded. Lesson learned... upgrade switch and AP before Gate!
I am very happy that you stated something other than FortiSwitch for your core. Fortinet switches don't provide stacking like CISCO's do (one logical device) which is frustrating. Means HA switch configs don't REALLY work if you are using it for multiple connections to SANs, servers and routers.
I have clients that run FortiGate > FortiSwitch > FortiAP
It works well. These are smaller clients though. Medium size to enterprise size you go with good switches on your core (juniper or cisco) and let the Gate handle the perimeter and the FortiSwitch/FortiAPs handle the access section.
All in all, for enterprise environments where you want switches that actually have normal features that enterprises need....stay away from fortiswitch. They are great for access connections and basic switching though.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.