The specific model we are working with is a FortiGate 100F.
We usually have our Internal Interface configured with the internal network subnet. Then, we’ll have a VLAN sub-interface for Guest Network, and another VLAN sub-interface for the Accounting department network. VLAN 20, and VLAN 30 respectively. So, both of these VLANS show up under Internal Interface when we expand it.
Our HPE network switch is connected to LAN1 which is a member of the Internal Interface. The network switch is aware of the VLANS and is passing them accordingly.
When we run the ‘Security Rating’ tool on our FortiGate, we get the following warning:
ND05.2: Non-FortiLink interfaces should not have multiple VLANS configured on them.
Traffic is flowing properly and everything seems to be working as expected. Why is this against Fortinet best practices? Or, are they simply just trying to get me to use their expensive hardware switches?
Do I really need to configure 3 ports on the firewall and connect all 3 to the network switch? What is the reason for this? The VLAN subinterfaces are being recognized and everything appears to be working just fine.
Any help would be appreciated. Thank you!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Greetings Eric,
That is absolutely fine to enable 802.1q VLAN tagging on a non-fortilink interface, nothing wrong with it.
Security Rating says that:
Non-FortiLink interfaces should not have multiple VLANS configured on them.
So basically you are suggested not to do it, it does not necessarily mean that you have to have Fortiswitches and run the VLAN tagging on the fortilink interfaces.
Feel free to enable VLAN tagging on any interface you would like to.
That suggestion above assumes that you might have Fortiswitched and in that case, you should run the fortilink in order to utilize all benefits of integrating the switches and Fortigate.
Ahmad
Greetings Eric,
That is absolutely fine to enable 802.1q VLAN tagging on a non-fortilink interface, nothing wrong with it.
Security Rating says that:
Non-FortiLink interfaces should not have multiple VLANS configured on them.
So basically you are suggested not to do it, it does not necessarily mean that you have to have Fortiswitches and run the VLAN tagging on the fortilink interfaces.
Feel free to enable VLAN tagging on any interface you would like to.
That suggestion above assumes that you might have Fortiswitched and in that case, you should run the fortilink in order to utilize all benefits of integrating the switches and Fortigate.
Ahmad
Thank you so much for your response.
Just to confirm, you're saying it is perfectly fine to have our firewall configured this way...correct?
I just wanted to make sure I was being clear in my question. I figured it would be easier to share a screen shot.
Well, I don`t see any problem with that setup.
Ahmad
Your original answer is still applicable then, correct? We were talking about the same thing, correct?
"That suggestion above assumes that you might have Fortiswitched and in that case, you should run the fortilink in order to utilize all benefits of integrating the switches and Fortigate."
Yes, it is.
Ahmad
Thank you very much for your response and for helping me. I wish you the best.
You are most welcome :)
Follow-up question. Would there be any benefit to dedicating physical ports to the different VLAN's? Physical Port 1 - VLAN 1, Physical Port 2 - VLAN 2....etc etc.
Likely reduce traffic on both ports in some degree compare to putting them on the same hard-switch. Also it would reduce the chance of L2 loop down stream of the ports if they are connected to switches.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.