fortigate in headquarter and switch and fortiap in the branch office connected in VPN is it possible to connect them to the fortigate? Are they managed by the fortigate? can I address them at the IP level? how do I do it? keep in mind that the VPN based (91fgt) while in the shops there are mikrotik all connected in IPSEC.
I attached the PHOTO
Solved! Go to Solution.
Hi,
Thank you for your inquiry. Yes you can manage FortiSwitch and FortiAP remotely through ipsec tunnel were the controller/HQ fortigate have to receive these packets through IPSEC tunnel. This will required that the branch router where the FSWs and FAPs are directly connected is allowing this traffic through the tunnel with the required rules and routes as well as the ipsec phase2 selector on the ipsec tunnel have to include the ip addresses for the subnet that connects these devices. ON the HQ fortigate similar config is required:
1- firewall policy where the source interface is the ipsec tunnel and destination is the fortilink interface with matching ip addresses for source and destination
2- routes allowing the HQ fortigate to learn about the remote subnets belonging to the FAPs and FSWs.
3- phase2 selector must be configured on the fortigate where the remote address is that of the fortiswitches and the fortiaps.
Note: I assumed site-to-site ipsec tunnel connecting HQ fortigate to the remote/branch router. If fortigate configuration is "Dialup server" vpn then phase2 selectors will not have any addresses as the dialup server learn those from the connecting dialup clients.
Thank you,
saleha
Hi Tannu1986,
Thank you for the reply. That is actually a good point. Here is a guide about fortilink that may assist with your project although it only illustrates assuming direct connection between the fortigate and the switch:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/67245ccb-eab8-11ed-8e6d-fa163e...
Thank you,
saleha
Hi,
Thank you for your inquiry. Yes you can manage FortiSwitch and FortiAP remotely through ipsec tunnel were the controller/HQ fortigate have to receive these packets through IPSEC tunnel. This will required that the branch router where the FSWs and FAPs are directly connected is allowing this traffic through the tunnel with the required rules and routes as well as the ipsec phase2 selector on the ipsec tunnel have to include the ip addresses for the subnet that connects these devices. ON the HQ fortigate similar config is required:
1- firewall policy where the source interface is the ipsec tunnel and destination is the fortilink interface with matching ip addresses for source and destination
2- routes allowing the HQ fortigate to learn about the remote subnets belonging to the FAPs and FSWs.
3- phase2 selector must be configured on the fortigate where the remote address is that of the fortiswitches and the fortiaps.
Note: I assumed site-to-site ipsec tunnel connecting HQ fortigate to the remote/branch router. If fortigate configuration is "Dialup server" vpn then phase2 selectors will not have any addresses as the dialup server learn those from the connecting dialup clients.
Thank you,
saleha
HI,
Thank you very much for your reply. Yes, your hypothesis "site-to-site ipsec tunnel connecting fortigate HQ to remote router/branch" is correct
so at this point I can reach all my devices from the office.
What I don't understand is how to address my fortiswitches since I have to manage them from the office, I would like to configure them before installing them in the branches. Sorry but I don't know much about these devices for the first time I use them, now I'm preparing to take a dedicated course.
Hi Tannu1986,
Thank you for the reply. That is actually a good point. Here is a guide about fortilink that may assist with your project although it only illustrates assuming direct connection between the fortigate and the switch:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/67245ccb-eab8-11ed-8e6d-fa163e...
Thank you,
saleha
Hi Guys!!! Now I manage the fortiswtich in Layer 3 mode from the office, but since I took charge of the fortiswitch from the office the fortiswitch ports no longer communicate.
what can I do? I need to communicate via the ports to the mikrotik router that acts as a DHCP server in the shop so the requests in the shop must be managed by it.
Hi Tannu1986,
Thank you for the query. There are a lot of unknowns in your last comments. I understood that you a fortigaete is now managing fortswitch however traffic is not passing through the switch. First thing to check usually that if you are configuring allowed vlans on the switch traffic ports that the correct vlans are configured as native on the correct switch ports. You can check using the gui from fortigate "wifi & switch controller>fortiswitch ports". You also need to run packet capture or sniffer on all possible spots on the network to confirm that traffic is stopping at the switches or at a different device. example of running sniffer on switch:
https://community.fortinet.com/t5/FortiSwitch/Technical-Tip-How-to-collect-sniffer-captures-in-each-...
example of sniffer on fortigate:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...
you can capture on both devices at the same time while running a continuous ping to specific destination local or to the internet
You can open a support ticket if your equipment is under support contract for better assistance.
Thank you,
saleha
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.