Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tannu1986
New Contributor II

Managing the FortiSwitch and Fortiap in the HQ

fortigate in headquarter and switch and fortiap in the branch office connected in VPN is it possible to connect them to the fortigate? Are they managed by the fortigate? can I address them at the IP level? how do I do it? keep in mind that the VPN based (91fgt) while in the shops there are mikrotik all connected in IPSEC.

I attached the PHOTOScreenshot 2024-10-10 alle 17.29.15.png

2 Solutions
saleha
Staff
Staff

Hi,

Thank you for your inquiry. Yes you can manage FortiSwitch and FortiAP remotely through ipsec tunnel were the controller/HQ fortigate have to receive these packets through IPSEC tunnel. This will required that the branch router where the FSWs and FAPs are directly connected is allowing this traffic through the tunnel with the required rules and routes as well as the ipsec phase2 selector on the ipsec tunnel have to include the ip addresses for the subnet that connects these devices. ON the HQ fortigate similar config is required:
1- firewall policy where the source interface is the ipsec tunnel and destination is the fortilink interface with matching ip addresses for source and destination

2- routes allowing the HQ fortigate to learn about the remote subnets belonging to the FAPs and FSWs.

3- phase2 selector must be configured on the fortigate where the remote address is that of the fortiswitches and the fortiaps.

 

Note: I assumed site-to-site ipsec tunnel connecting HQ fortigate to the remote/branch router. If fortigate configuration is "Dialup server" vpn then phase2 selectors will not have any addresses as the dialup server learn those from the connecting dialup clients.

 

Thank you,

saleha

View solution in original post

saleha
Staff
Staff

Hi Tannu1986,

Thank you for the reply. That is actually a good point. Here is a guide about fortilink that may assist with your project although it only illustrates assuming direct connection between the fortigate and the switch:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/67245ccb-eab8-11ed-8e6d-fa163e...

 

Thank you,

saleha

View solution in original post

3 REPLIES 3
saleha
Staff
Staff

Hi,

Thank you for your inquiry. Yes you can manage FortiSwitch and FortiAP remotely through ipsec tunnel were the controller/HQ fortigate have to receive these packets through IPSEC tunnel. This will required that the branch router where the FSWs and FAPs are directly connected is allowing this traffic through the tunnel with the required rules and routes as well as the ipsec phase2 selector on the ipsec tunnel have to include the ip addresses for the subnet that connects these devices. ON the HQ fortigate similar config is required:
1- firewall policy where the source interface is the ipsec tunnel and destination is the fortilink interface with matching ip addresses for source and destination

2- routes allowing the HQ fortigate to learn about the remote subnets belonging to the FAPs and FSWs.

3- phase2 selector must be configured on the fortigate where the remote address is that of the fortiswitches and the fortiaps.

 

Note: I assumed site-to-site ipsec tunnel connecting HQ fortigate to the remote/branch router. If fortigate configuration is "Dialup server" vpn then phase2 selectors will not have any addresses as the dialup server learn those from the connecting dialup clients.

 

Thank you,

saleha

Tannu1986
New Contributor II

HI,

Thank you very much for your reply. Yes, your hypothesis "site-to-site ipsec tunnel connecting fortigate HQ to remote router/branch" is correct
so at this point I can reach all my devices from the office.
What I don't understand is how to address my fortiswitches since I have to manage them from the office, I would like to configure them before installing them in the branches. Sorry but I don't know much about these devices for the first time I use them, now I'm preparing to take a dedicated course.

saleha
Staff
Staff

Hi Tannu1986,

Thank you for the reply. That is actually a good point. Here is a guide about fortilink that may assist with your project although it only illustrates assuming direct connection between the fortigate and the switch:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/67245ccb-eab8-11ed-8e6d-fa163e...

 

Thank you,

saleha

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors