Hi gfleming,

thanks for the answer, I don't see a setting with "Access VLAN" in the fortigate device.

FortiOS v. 7.0.10 build 0450

RM-NODE-01 (Guest-WiFi) # show
config system interface
    edit "Guest-WiFi"
        set vdom "root"
        set ip x.x.x.x 255.255.255.0
        set allowaccess ping
        set device-identification enable
        set role lan
        set snmp-index 49
        config ipv6
            set ip6-send-adv enable
            set ip6-other-flag enable
        end
        set interface "port9"
        set vlanid 6
    next
end

 these are the option I have on the interface:

*vdom                                          Interface is in this virtual domain (VDOM).
vrf                                           Virtual Routing Forwarding ID.
mode                                          Addressing mode (static, DHCP, PPPoE).
priority                                      Priority of learned routes.
dhcp-relay-interface-select-method            Specify how to select outgoing interface to reach server.
dhcp-relay-service                            Enable/disable allowing this interface to act as a DHCP relay.
dhcp-relay-request-all-server                 Enable/disable sending of DHCP requests to all servers.
management-ip                                 High Availability in-band management IP address of this interface.
ip                                            Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.
allowaccess                                   Permitted types of management access to this interface.
fail-detect                                   Enable/disable fail detection features for this interface.
dhcp-client-identifier                        DHCP client identifier.
dhcp-renew-time                               DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server.
idle-timeout                                  PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.
disc-retry-timeout                            Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.
padt-retry-timeout                            PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.
dns-server-override                           Enable/disable use DNS acquired by DHCP or PPPoE.
dns-server-protocol                           DNS transport protocols.
arpforward                                    Enable/disable ARP forwarding.
broadcast-forward                             Enable/disable broadcast forwarding.
bfd                                           Bidirectional Forwarding Detection (BFD) settings.
l2forward                                     Enable/disable l2 forwarding.
icmp-send-redirect                            Enable/disable sending of ICMP redirects.
icmp-accept-redirect                          Enable/disable ICMP accept redirect.
reachable-time                                IPv4 reachable time in milliseconds (30000 - 3600000, default = 30000).
vlanforward                                   Enable/disable traffic forwarding between VLANs on this interface.
stpforward                                    Enable/disable STP forwarding.
ips-sniffer-mode                              Enable/disable the use of this interface as a one-armed sniffer.
ident-accept                                  Enable/disable authentication for this interface.
ipmac                                         Enable/disable IP/MAC binding.
subst                                         Enable to always send packets from this interface to a destination MAC address.
substitute-dst-mac                            Destination MAC address that all packets are sent to from this interface.
status                                        Bring the interface up or shut the interface down.
netbios-forward                               Enable/disable NETBIOS forwarding.
wins-ip                                       WINS server IP.
type                                          Interface type.
mtu-override                                  Enable to set a custom MTU for this interface.
wccp                                          Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.
netflow-sampler                               Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).
sflow-sampler                                 Enable/disable sFlow on this interface.
drop-overlapped-fragment                      Enable/disable drop overlapped fragment packets.
drop-fragment                                 Enable/disable drop fragment packets.
src-check                                     Enable/disable source IP check.
sample-rate                                   sFlow sample rate (10 - 99999).
polling-interval                              sFlow polling interval in seconds (1 - 255).
sample-direction                              Data that NetFlow collects (rx, tx, or both).
explicit-web-proxy                            Enable/disable the explicit web proxy on this interface.
explicit-ftp-proxy                            Enable/disable the explicit FTP proxy on this interface.
proxy-captive-portal                          Enable/disable proxy captive portal on this interface.
tcp-mss                                       TCP maximum segment size. 0 means do not change segment size.
inbandwidth                                   Bandwidth limit for incoming traffic (0 - 80000000 kbps), 0 means unlimited.
outbandwidth                                  Bandwidth limit for outgoing traffic (0 - 80000000 kbps).
egress-shaping-profile                        Outgoing traffic shaping profile.
ingress-shaping-profile                       Incoming traffic shaping profile.
weight                                        Default weight for static routes (if route has no weight configured).
*interface                                     Interface name.
external                                      Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).
vlan-protocol                                 Ethernet protocol of VLAN.
vlanid                                        VLAN ID (1 - 4094).
trunk                                         Enable/disable VLAN trunk.
description                                   Description.
alias                                         Alias will be displayed with the interface name to make it easier to distinguish.
security-mode                                 Turn on captive portal authentication for this interface.
device-identification                         Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.
device-user-identification                    Enable/disable passive gathering of user identity information about users on this interface.
estimated-upstream-bandwidth                  Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.
estimated-downstream-bandwidth                Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.
measured-upstream-bandwidth                   Measured upstream bandwidth (kbps).
measured-downstream-bandwidth                 Measured downstream bandwidth (kbps).
bandwidth-measure-time                        Bandwidth measure time.
monitor-bandwidth                             Enable monitoring bandwidth on this interface.
vrrp-virtual-mac                              Enable/disable use of virtual MAC for VRRP.
role                                          Interface role.
snmp-index                                    Permanent SNMP Index of the interface.
secondary-IP                                  Enable/disable adding a secondary IP to this interface.
preserve-session-route                        Enable/disable preservation of session route when dirty.
auto-auth-extension-device                    Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.
ap-discover                                   Enable/disable automatic registration of unknown FortiAP devices.
ip-managed-by-fortiipam                       Enable/disable automatic IP address assignment of this interface by FortiIPAM.
switch-controller-igmp-snooping-proxy         Switch controller IGMP snooping proxy.
switch-controller-igmp-snooping-fast-leave    Switch controller IGMP snooping fast-leave.
switch-controller-feature                     Interface's purpose when assigning traffic (read only).
color                                         Color of icon on the GUI.

Hi gfleming,

thanks for your answer, I don't see "Access VLAN" in the fortigate vlan interface page.

Running FortiOS v7.0.10

here's the vlan setup:

RM-NODE-01 (Guest-WiFi) # show
config system interface
    edit "Guest-WiFi"
        set vdom "root"
        set ip x.x.x.x 255.255.255.0
        set allowaccess ping
        set device-identification enable
        set role lan
        set snmp-index 49
        config ipv6
            set ip6-send-adv enable
            set ip6-other-flag enable
        end
        set interface "port9"
        set vlanid 6
    next
end

and here's the option I have for the interface, am I missing something?

*vdom                                          Interface is in this virtual domain (VDOM).
vrf                                           Virtual Routing Forwarding ID.
mode                                          Addressing mode (static, DHCP, PPPoE).
priority                                      Priority of learned routes.
dhcp-relay-interface-select-method            Specify how to select outgoing interface to reach server.
dhcp-relay-service                            Enable/disable allowing this interface to act as a DHCP relay.
dhcp-relay-request-all-server                 Enable/disable sending of DHCP requests to all servers.
management-ip                                 High Availability in-band management IP address of this interface.
ip                                            Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.
allowaccess                                   Permitted types of management access to this interface.
fail-detect                                   Enable/disable fail detection features for this interface.
dhcp-client-identifier                        DHCP client identifier.
dhcp-renew-time                               DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server.
idle-timeout                                  PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.
disc-retry-timeout                            Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.
padt-retry-timeout                            PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.
dns-server-override                           Enable/disable use DNS acquired by DHCP or PPPoE.
dns-server-protocol                           DNS transport protocols.
arpforward                                    Enable/disable ARP forwarding.
broadcast-forward                             Enable/disable broadcast forwarding.
bfd                                           Bidirectional Forwarding Detection (BFD) settings.
l2forward                                     Enable/disable l2 forwarding.
icmp-send-redirect                            Enable/disable sending of ICMP redirects.
icmp-accept-redirect                          Enable/disable ICMP accept redirect.
reachable-time                                IPv4 reachable time in milliseconds (30000 - 3600000, default = 30000).
vlanforward                                   Enable/disable traffic forwarding between VLANs on this interface.
stpforward                                    Enable/disable STP forwarding.
ips-sniffer-mode                              Enable/disable the use of this interface as a one-armed sniffer.
ident-accept                                  Enable/disable authentication for this interface.
ipmac                                         Enable/disable IP/MAC binding.
subst                                         Enable to always send packets from this interface to a destination MAC address.
substitute-dst-mac                            Destination MAC address that all packets are sent to from this interface.
status                                        Bring the interface up or shut the interface down.
netbios-forward                               Enable/disable NETBIOS forwarding.
wins-ip                                       WINS server IP.
type                                          Interface type.
mtu-override                                  Enable to set a custom MTU for this interface.
wccp                                          Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.
netflow-sampler                               Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).
sflow-sampler                                 Enable/disable sFlow on this interface.
drop-overlapped-fragment                      Enable/disable drop overlapped fragment packets.
drop-fragment                                 Enable/disable drop fragment packets.
src-check                                     Enable/disable source IP check.
sample-rate                                   sFlow sample rate (10 - 99999).
polling-interval                              sFlow polling interval in seconds (1 - 255).
sample-direction                              Data that NetFlow collects (rx, tx, or both).
explicit-web-proxy                            Enable/disable the explicit web proxy on this interface.
explicit-ftp-proxy                            Enable/disable the explicit FTP proxy on this interface.
proxy-captive-portal                          Enable/disable proxy captive portal on this interface.
tcp-mss                                       TCP maximum segment size. 0 means do not change segment size.
inbandwidth                                   Bandwidth limit for incoming traffic (0 - 80000000 kbps), 0 means unlimited.
outbandwidth                                  Bandwidth limit for outgoing traffic (0 - 80000000 kbps).
egress-shaping-profile                        Outgoing traffic shaping profile.
ingress-shaping-profile                       Incoming traffic shaping profile.
weight                                        Default weight for static routes (if route has no weight configured).
*interface                                     Interface name.
external                                      Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).
vlan-protocol                                 Ethernet protocol of VLAN.
vlanid                                        VLAN ID (1 - 4094).
trunk                                         Enable/disable VLAN trunk.
description                                   Description.
alias                                         Alias will be displayed with the interface name to make it easier to distinguish.
security-mode                                 Turn on captive portal authentication for this interface.
device-identification                         Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.
device-user-identification                    Enable/disable passive gathering of user identity information about users on this interface.
estimated-upstream-bandwidth                  Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.
estimated-downstream-bandwidth                Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.
measured-upstream-bandwidth                   Measured upstream bandwidth (kbps).
measured-downstream-bandwidth                 Measured downstream bandwidth (kbps).
bandwidth-measure-time                        Bandwidth measure time.
monitor-bandwidth                             Enable monitoring bandwidth on this interface.
vrrp-virtual-mac                              Enable/disable use of virtual MAC for VRRP.
role                                          Interface role.
snmp-index                                    Permanent SNMP Index of the interface.
secondary-IP                                  Enable/disable adding a secondary IP to this interface.
preserve-session-route                        Enable/disable preservation of session route when dirty.
auto-auth-extension-device                    Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.
ap-discover                                   Enable/disable automatic registration of unknown FortiAP devices.
ip-managed-by-fortiipam                       Enable/disable automatic IP address assignment of this interface by FortiIPAM.
switch-controller-igmp-snooping-proxy         Switch controller IGMP snooping proxy.
switch-controller-igmp-snooping-fast-leave    Switch controller IGMP snooping fast-leave.
switch-controller-feature                     Interface's purpose when assigning traffic (read only).
color                                         Color of icon on the GUI.

thanks!

Try "set switch-controller-access-vlan enable"

In the 7.X GUI i think it's renamed "Block Intra-VLAN Traffic"