Hi,
I have a Fortigate firewall V.5.6 I need to have one of the VLANs to be working on two different physical interfaces as two different Backbones exist.
So does a config like the below config works? how can I make both sub-interfaces communicate?
config system interface edit "VLAN.50.port.1" set vdom "root" set ip 172.20.2.1 255.255.255.0 ---> for example set allowaccess ping set interface "port1" set vlanid 50 next edit "VLAN.50.port.2" set vdom "root" set ip ????????????? ---> what IP should be used here. set allowaccess ping set interface "port2" set vlanid 50 next
Thanks
Ysuf
no ,, it doesnt
--------------------------------------------
If all else fails, use the force !
The only way to do anything similar would be to trunk and aggregate ports. If your model is above a 100D-E, then you can do that, otherwise you cannot.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
with aggregating or trunking you would loose the individual interfaces so you could not have different Subnets anymore but the same vid.
If you just want to be able to communicate to/from vlan 50 you only need some policy to allow this.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I was referring to the capacity gain. Yes you would 'lose' an interface, but you could still hang the VLANs off of that fatter pipe.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
yep. I meant that just to be an addition to what you wrote. If it came up different I apologize for that :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
By knowing the limitation of L2 interfaces, your only option is to aggregate two physical interfaces into one hard/soft-switch interface, create a vlan sub-interface on it if it needs to be tagged, then add a secondary IP/subnet to have two subnets on the same vlan interface. Then both sides should be routed each others.
Just to follow up on this..if I have two access layer switches each with two vlans (A and B) on them, can I connect them to different physical interfaces of the Fortigate and use the same vlan on both physical interfaces? Or do I need to aggregate those to a distribution switch and then connect distribution switch to Fortigate (via trunk and likely aggregate port for density)?
So my setup would be something like: Switch1: VlanA and VlanB -> Fortigate port 1
Switch2: VlanA and VlanB -> Fortigate port 2
It don't see how this would work without a distribution switch, but wanted to confirm. Thanks
As I wrote, and others wrote too, before, the soft/hard-switch on the FGT acts as a distribution switch.
port1 --+
+--> AggInt1(soft or hard switch)
port2 --+
Then the same set of VLANs are shared between two physical port. And that's all any FGT can do for L2 switching.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 704 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.