- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- New to FortiGate - Need help for LAN setup
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New to FortiGate - Need help for LAN setup
Hello everyone
I am all new to Fortinet and FortiGate, though i am a quite old Networks "user"
Right now i am in the process of swapping a Juniper SRX100 with a Fortigate 92D and a Juniper SRX240 with a Fortigate 140D-POE (+FAP321C)
In general i find all the configuration points i wish (and can dream of) and always amazed how easy and efficient everything is (especially coming from Cisco, Juniper and other Checkpoint products)
The only thing i am struggling with right now is the setup of the LANs and VLANs (i didn't think that going full VDOM was necessary)
I attached a quickly drawn high level concept of the network to give an idea of what i am trying to achieve
I am working with 3 VLANs
Green - 192.168.1.0/24 - DHCP server active
Amber - 192.168.10.0/24 - DHCP server active
Red - 192.168.100.0/24 - DHCP server active
Green is reserved for trusted devices (PCs, Macs, iDevices, ...)
Amber is reserved for internet facing servers and other devices reachable from Internet
Red is reserved for guest devices (PCs, Macs, iDevices, ...)
The devices in Green are all with single link
The servers in Amber have all dual link in 802.3ad aggregation (other devices have a single link)
The devices in Red are all with single link
What i have been trying to achieve at first was to create the 3 VLANs and assign then to various ports but it seems i can assign only to 1 interface (may it be a port or Virtual Switch or VLAN Switch) Also i noticed that the 802.3ad ports are to be set as an Aggregate Interface
So i seem to be turning round and round on how to set a number of ports to the Green VLAN, another set of Ports to the Amber VLAN (along with a couple aggregated interfaces), a 3rd set of ports to the Red VLAN and the WiFi port to all 3 VLANs
I am quite sure i am just missing a detail but i cannot seem to make it all work together
I was hoping that some of you with way more experience than me on FortiGate could help me find the solution
Thank you in advance!
Andy
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changing the port members on the default 'internal' switch depends on hardware model and firmware version. If the FGT has an 'internal' switch you can always split it up into individual ports (except for the smallest FGTs...). In the GUI, try to create a new interface (System > Network > Interfaces) - which types do you have: VLAN always, aggregate as well, switch?
Recently on a 240D running v5.2.3, when I entered the Interface setup, I could tick off single member ports as needed from the 'internal' interface.
Now for the SSIDs...so you get each SSID on it's own VLAN. On the phys. port connected to the AP, create these VLANs and point the default route of each VLAN to the VLAN's interface IP (usually x.y.z.1). Now you can create policies to allow traffic from / to each SSID. Routing is done automatically for all directly connected networks (look at the Routing Monitor to see these).
As for the LACP trunks, just create them from otherwise unused phys. ports and then configure the virtual trunk port as you like (address, VLAN ID if you need, whatever). Per default, LACP will use 'slow' mode, i.e. sending BUPs every 30 seconds. I always switch that into 'fast' mode using the CLI ('conf sys int, edit myTrunk, set lacp-mode fast'). And yes, you should make sure that you're configuring LACP ('active', not 'passive' or 'static') trunks.
You'll definitively need the CLI Reference Guide along with the Handbook for the details :)
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for off topic from Pandalist's original question. But I want to ask ede_pfau or others if FortiSwitch can do like this that FortiGate can't do.
Nowadays major routers like Cisco, Juniper, etc. supports L2 switching separated from L3 routing, just like Pandalist drew in the diagram. I've kept asking the same/similar function on Fortigate to Fortinet SE/Sales but so far it's not happening.
- « Previous
-
- 1
- 2
- Next »
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I might have spoken too early. Likely false positive. I couldn't find any possible way to configure this on FWF60D w/ 5.4.0. Sorry.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi
Thanks for having tested!
Right now i am a bit overwhelmed with events
I hope to try the 5.4 in the coming weeks on a FG140D I'll let you know as soon as i have had a chance to test :)
Best
Andy
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fixing IP overlap using virtual IPs 64 Views
- Transparent VLAN between Fortigate port and... 111 Views
- Site to Site IP Sec with... 80 Views
- What do Fortigate interface roles (eg... 98 Views
- LDAPS (can't contact LDAP server) 139 Views
Labels
-
FortiGate
7,164 -
FortiClient
1,415 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
374 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
108 -
SSL-VPN
105 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1064 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.