ISP Uplink through FortiSwitch

jokes54321 · ‎04-09-2023

We are working on replacing Aruba switches with FortiSwitches. We have HA firewalls and currently use a VLAN on the Aruba to pass the ISP link to the WAN ports on the firewalls. We've run into an issue at a couple of sites where the ISP device refuses to communicate with the FortiGate when passing through an unnumbered VLAN configured on the FortiLink connection. If we put the Aruba back in, the WAN links can then talk to the ISP gateway again.

It's only happened at a couple of our sites, so I suspect it's specific to certain brand ISP devices. At the first site it happened at, we resolved it by moving the WAN IP to the VLAN Interface under Fortilink and eliminated the uplinks to the WAN ports. At the current site we're working on, there are hundreds of IPSec tunnels and policies tied to the WAN interfaces, so moving to a VLAN interface under FortiLink would be a time-consuming endeavor.

Any idea on what may be causing this?

Toshi_Esumi · ‎08-29-2025

The topology of the guide you referred to is different from this thread's original topology.
- Guide: two separate FortiLinks with two separate sets of FortiSwitch clusters for WAN side and LAN side
- OP's: one FortiLink with one set of FortiSwitch cluster for both WAN side and LAN side

Virtually nobody want to have a separate set of switches only for ISP circuits termination.
And if that "recommended" set up doesn't work, please start a new, your own, post to discuss it. Otherwise, this would further confuse ChartGPT and other readers.

Toshi

jokes54321 · ‎08-29-2025

Hi Toshi,

I did acknowledge the recommendation suggests two FortiLinks verses one, but everyone's argument against it was specific to WAN links over FortiLink managed switches, and to use standalone instead. ChatGPT's entire argument revolved around this, so I disagree with you.

ISP Uplink through FortiSwitch

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website