Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EricTheGreat
New Contributor

Created on ‎04-18-2022 02:29 PM Edited on ‎04-18-2022 02:30 PM

Non-FortiLink interfaces should not have multiple VLANS configured on them

The specific model we are working with is a FortiGate 100F.

 

We usually have our Internal Interface configured with the internal network subnet. Then, we’ll have a VLAN sub-interface for Guest Network, and another VLAN sub-interface for the Accounting department network. VLAN 20, and VLAN 30 respectively. So, both of these VLANS show up under Internal Interface when we expand it.

 

Our HPE network switch is connected to LAN1 which is a member of the Internal Interface. The network switch is aware of the VLANS and is passing them accordingly.

 

When we run the ‘Security Rating’ tool on our FortiGate, we get the following warning:

ND05.2: Non-FortiLink interfaces should not have multiple VLANS configured on them.

 

Traffic is flowing properly and everything seems to be working as expected. Why is this against Fortinet best practices? Or, are they simply just trying to get me to use their expensive hardware switches?

 

Do I really need to configure 3 ports on the firewall and connect all 3 to the network switch?  What is the reason for this?  The VLAN subinterfaces are being recognized and everything appears to be working just fine.

 

Any help would be appreciated.  Thank you!

Labels:
6497
0 Kudos
1 Solution
aahmadzada
Staff
Staff

Created on ‎04-18-2022 10:58 PM

Greetings Eric,

That is absolutely fine to enable 802.1q VLAN tagging on a non-fortilink interface, nothing wrong with it.

Security Rating says that:
Non-FortiLink interfaces should not have multiple VLANS configured on them.

So basically you are suggested not to do it, it does not necessarily mean that you have to have Fortiswitches and run the VLAN tagging on the fortilink interfaces.

Feel free to enable VLAN tagging on any interface you would like to.

 

That suggestion above assumes that you might have Fortiswitched and in that case, you should run the fortilink in order to utilize all benefits of integrating the switches and Fortigate.

 

Ahmad

Ahmad

View solution in original post

6481
11 REPLIES 11
aahmadzada
Staff
Staff

Created on ‎04-18-2022 10:58 PM

Greetings Eric,

That is absolutely fine to enable 802.1q VLAN tagging on a non-fortilink interface, nothing wrong with it.

Security Rating says that:
Non-FortiLink interfaces should not have multiple VLANS configured on them.

So basically you are suggested not to do it, it does not necessarily mean that you have to have Fortiswitches and run the VLAN tagging on the fortilink interfaces.

Feel free to enable VLAN tagging on any interface you would like to.

 

That suggestion above assumes that you might have Fortiswitched and in that case, you should run the fortilink in order to utilize all benefits of integrating the switches and Fortigate.

 

Ahmad

Ahmad
6482
EricTheGreat
New Contributor

Created on ‎04-18-2022 11:05 PM

Thank you so much for your response.

 

Just to confirm, you're saying it is perfectly fine to have our firewall configured this way...correct?

 

Screenshot 2022-04-19 020344.jpg

I just wanted to make sure I was being clear in my question.  I figured it would be easier to share a screen shot. 

5353
0 Kudos
aahmadzada
Staff
Staff

Created on ‎04-18-2022 11:16 PM

Well, I don`t see any problem with that setup.

Ahmad

Ahmad
5352
0 Kudos
EricTheGreat
New Contributor

Created on ‎04-18-2022 11:18 PM

Your original answer is still applicable then, correct?  We were talking about the same thing, correct?

 

"That suggestion above assumes that you might have Fortiswitched and in that case, you should run the fortilink in order to utilize all benefits of integrating the switches and Fortigate."

5350
0 Kudos
aahmadzada
Staff
Staff
In response to EricTheGreat

Created on ‎04-18-2022 11:29 PM

Yes, it is.


Ahmad

Ahmad
5349
0 Kudos
EricTheGreat
New Contributor

Created on ‎04-18-2022 11:30 PM

Thank you very much for your response and for helping me. I wish you the best. 

5347
0 Kudos
aahmadzada
Staff
Staff
In response to EricTheGreat

Created on ‎04-18-2022 11:30 PM

You are most welcome :)

Ahmad
5346
0 Kudos
EricTheGreat
New Contributor

Created on ‎04-22-2022 07:27 AM

Follow-up question.  Would there be any benefit to dedicating physical ports to the different VLAN's?  Physical Port 1 - VLAN 1, Physical Port 2 - VLAN 2....etc etc. 

 

5331
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎04-22-2022 08:55 AM

Likely reduce traffic on both ports in some degree compare to putting them on the same hard-switch. Also it would reduce the chance of L2 loop down stream of the ports if they are connected to switches.

 

Toshi

5328
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.