The specific model we are working with is a FortiGate 100F.
We usually have our Internal Interface configured with the internal network subnet. Then, we’ll have a VLAN sub-interface for Guest Network, and another VLAN sub-interface for the Accounting department network. VLAN 20, and VLAN 30 respectively. So, both of these VLANS show up under Internal Interface when we expand it.
Our HPE network switch is connected to LAN1 which is a member of the Internal Interface. The network switch is aware of the VLANS and is passing them accordingly.
When we run the ‘Security Rating’ tool on our FortiGate, we get the following warning:
ND05.2: Non-FortiLink interfaces should not have multiple VLANS configured on them.
Traffic is flowing properly and everything seems to be working as expected. Why is this against Fortinet best practices? Or, are they simply just trying to get me to use their expensive hardware switches?
Do I really need to configure 3 ports on the firewall and connect all 3 to the network switch? What is the reason for this? The VLAN subinterfaces are being recognized and everything appears to be working just fine.
Any help would be appreciated. Thank you!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Greetings Eric,
That is absolutely fine to enable 802.1q VLAN tagging on a non-fortilink interface, nothing wrong with it.
Security Rating says that:
Non-FortiLink interfaces should not have multiple VLANS configured on them.
So basically you are suggested not to do it, it does not necessarily mean that you have to have Fortiswitches and run the VLAN tagging on the fortilink interfaces.
Feel free to enable VLAN tagging on any interface you would like to.
That suggestion above assumes that you might have Fortiswitched and in that case, you should run the fortilink in order to utilize all benefits of integrating the switches and Fortigate.
Ahmad
Toshi - thank you for the reply and attention. In your experience, do you deploy that way or do you simply use the sub-interfaces? I wonder how much additional work it is for the firewall if all the VLANS are on the same interface.
Created on 04-22-2022 12:46 PM Edited on 04-22-2022 12:50 PM
Regardless if it's on an aggregated hard-switch interface or on an individual interface/port, VLANs are always sub-interfaces. With the hard-swich interface, the broadcast domain of each VLAN as well as non-tagged parent interface are spread to all member interfaces/ports. So it's not about sub-interface.
It's more about if you want to split the one big hard-interface to multiple and for what purpose. Like if that FGT is shared with multiple orgs/customers. It's better, or you have to, separate them physically like 1-8 for org1, 9-16 for org2, ... and VLANs would be split by the parent hard-switches (you just can't have the same VLAN on multiple different parent interfaces).
Since the 100F seems to have many ports in a big "internal" hard-switch as you showed the GUI screenshot, I would chop them up and connect them to each section of network. Just need to remember if a broadcast domain or a VLAN needs to be shared by mulitple ports, those need to be under the same parent hard-switch.
But if you have a switch(es) connected to the FGTs, you might just want to have a LAG (2 or more ports combined) connected to the top switch/stacked switches with all VLANs+non-tagged interface(VLAN1) then let the switch(es) to handle those broadcast domains.
It's case by case what's required or the best against what you have.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.