On a FGT60E running FortiOS v6.4, is there a way to create a "switch" with interface members internal2 and vlan_xyz?
Once we have the two interfaces bridged we wish to control (typically, block) multicast propagation between the two.
In FortiOS 6.4 I can see some likely suspects
config system physical-interface # does not seem directly useful
config system software-interface # ideal if we could add a vlan interface
config system virtual-interface
Perhaps software-interface is the best candidate? But in our current configuration none of these will accept a vlan interface as a member, can this be done and if so how? Is there some global setting I have overlooked to allow the behaviour we want? Is there an alternative simple way to achieve the end result?
I hope we can avoid building a transparent vdom.
How would this work logically?
If you bridge a VLAN (logical) + a physical port... what is the logical outcome?
What I mean is that the "physical port" is on the logical side either in the same VLAN, or a trunk.
If same vlan > VLAN switch may be the choice for you (maybe not in this small unit):https://docs.fortinet.com/document/fortigate/6.2.0/new-features/775595/virtual-switch-support-for-fo...
But if you can hypothetically pair a VLAN port with a trunk port, the VLAN port will only take the traffic tagged in its own VLAN, dropping everything else. And if you don't want this, then the solution is to make separate interfaces and have proper routing in between them.
Now, multicast is by default nor forwarded past the broadcast domain. Broadcast domain is contained by the first router.
If your goal is to block multicast, you don't need a switch construct.
If your goal is to forward multicast, you must use a switch construct (all ports in same VLAN if that's the goal).
Created on 04-12-2022 01:56 AM Edited on 04-12-2022 01:59 AM
Thank you for your reply.
The aim is managed switch-like behaviour, for the physical port to become an edge port on the vlan and ideally appear to users as just another port, and we would then have the ability to block multicast by policy assuming we could `set intra-switch-policy explicit` and then apply a multicast policy.
The "normal" functionality we want is easy on a managed switch, but there is a specific corner case we are trying to eliminate that we can't block on our switches, where a multicast packet arrives tagged with vlan 0 (which is an error and is correctly interpreted by the switch as a priority tag, but it causes a _whole_ world of trouble).
We are trying to use the firewall in some way to block multicast without having another subnet / using routing.
I believe that we could potentially assign two ports to a transparent vdom to achieve what we want (basically a bump in the wire), but it costs us an extra physical port and we have not used vdoms before.
Basically a physical interface with vlans attached to it on a fortigate behaves just like a vlan trunk on a managed switch does.
That means the subnet/vid the physical interface has/is connected to would be the pvid. So all traffic that doesn't match any vid attached to that physical interface will hit the physical interface while traffic that matches one of the attached vids will hit the corresponding vlan interaface.
Multicast traffic will afaik anyways not be routed between different vlans/subnets unless you create some multicast policy for it.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi,
I've the same question, is it possible to create more than one layer 2 vlan Interfaes (without any IP address assigned to it), and bridge all the vlans with one physical interfaces together works like a switch, then assign an IP address to the physical interface as default gateway and DHCP server.
The similar function provided by PFsense listed below for your reference:
PFsense:
How To PFSense Configure Network Interface As A Bridge / Network Switch - nixCraft (cyberciti.biz)
Palo Alto:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK
Thanks!
Hi,
I've found the solution that was already mentioned in Fortiswitch and Fortigate admin. guide, that is :
https://docs.fortinet.com/document/fortiswitch/7.4.1/fortilink-guide/546342/configuring-vlans
Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can add multiple managed FortiSwitch VLANs to a software switch using the GUI or CLI. In previous releases, you could add only one managed FortiSwitch VLAN per FortiGate device to a software switch.
Traffic between two VLANs is controlled by the intra-switch-policy setting under the config system switch-interface command. By default, intra-switch-policy is set to implicit, which allows traffic between software switch members.
attahced. is my lab network diagram for your reference.
we are running 7.0 currently and what you can do with this is: you can create a switch out of physical interfaces and then attach vlans to the switch interface. Then this would mean the member interfaces of the switch are vlan trunks (i.e. tagged in all attached vlans). I do this with up to 20 vlans on one vswitch on my FGTs and it work fine.
Then there is Uplink from that vswitch members to my core switches where the corresponding port is also configured to be a vlan trunk. Then vlans can be (un)tagged to the other ports on the switches as required.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1743 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.