Managed Switch Fortiswitch for a Wan interface

efernandes · ‎11-13-2023

I have a lab setup which will be eventually used on sites
I have one FortiGate which acts as the router and firewall and one managed switch hanging off this FortiGate with APs connected to it.
The legacy setup was a cisco switch and FortiGate where in the cisco switch acted a layer 2 switch for passing the wan connections to the FortiGate as well as the core switch providing connectivity to users.
It was a basic router on a stick configuration with the cisco switch hanging off the FortiGate and multiple wan interfaces used for SD/WAN connections and Lan interfaces for the users.
I am trying to replicate the same with the Forti switch but in a managed mode. I see the Forti VLANs are attached to the Forti link interface and the wan interfaces from the FortiGate are mapped to another interface(port1) on the FortiGate.
I configured the Forti switch with the same VLANs as the cisco switch and connected the FortiGate(port1) on the same ports the cisco switch, with an exclusive port (port4) just for the Forti link so that FortiGate can manage the Forti switch.
But I have not been having any luck with this configuration.
I need the wan interface from my provider equipment able to communicate with the FortiGate (port1) while connected on the Forti switch in a managed mode through Forti link on port4 . both of them have the same VLAN id 216(VLAN 216 on the the FortiGate interface port1 and Forti vlan 216 on Forti link interface port4) allowed through but there seems to be no communication
Any suggestions

saneeshpv_FTNT · ‎11-14-2023

Hi @efernandes ,

Here you can use port1 and port 4 part of an aggregated interface which is then configured as FortiLink ( Please make sure to disable split interface so both the ports are active)

Sample Configuration:

config system interface

edit "fortilink"

set ip x.x.x.x 255.255.255.0

set member "port1" "port4"

set auto-auth-extension-device enable

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801208/transitioning...

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801194/deploying-mcl...

Please check if this approach help with your problem.

Best Regards

ebilcari · ‎11-15-2023

So, you want to use the SW ports to terminate also the WAN links and span them to FGT?

If that is the case than I think you need to create those VLANs in the Fortilink interface and manage them through the SW controller. I don't think having two separate links to FSW will work well, it's better to build a LAG to have better throughput and use them as a single FLink for Router-on-a-stick functions.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

efernandes · ‎11-16-2023

Thank you, I shall try this. but we have a lot of WAN connections needed to be spanned across and corresponding SD WAN zones with tunnels across each WAN. it might get a bit complex to manage...
To keep it simple, we may keep a core switch doing only layer 2 for all the WAN connections and a trunk to the FG and then manage the downstream LANs via the FortiLANs/managed switch

Dankskittlez39 · ‎03-06-2024

I want to do this aswell I have two wan interfaces and two vdoms right now I want to add a wan side switch. How do I execute this? Am I exposing myself to risk cause of the allow access built into the switch? Do I plug the wan interfaces into the switch and keep my policies or do I just static the vlans and plocy them directly lan to vdomlinks? Cause when I first tried it with plugging my aggregate wan interfaces into my switch and having my policies go from wan to vdomlinks I was getting ip conflict warnings.. .. Also is having a wan side switch a good or bad idea on a ha configuration? I think if I plug my router into a random port on my switch and create my vlans and policy those to each vdom link and static route them I should be good?