- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Initial questions on FortiGate control of multiple...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Initial questions on FortiGate control of multiple FortiSwitches
Hi All,
I'll be doing some quick proof on concept work next week with a 5.4.6 FortiGate controlling a couple 3.6.3 108D-POE FortiSwitches. This is mostly to see if larger FortiSwithces might work for a different location.
I've run through the documentation, but have some questions before I get started, most of them basically boiling down to: Is there any way to manage FortiSwitches from the FortiGate but do it through distinct (not hardware/software switch) interfaces?
[ol]As you can probably tell, most of this is trying to figure out a way to manage a FortiSwitch from the FortiGate but still keep its VLANs and other interfaces as separated as possible. This is to make it harder to accidentally break security with a single error, like the incorrect vlan being set on a switch interface. One use case is for a bunch of IP security cameras on a single switch. Really don't want to plug that back into our lan!
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still haven't found a way to have separate physical interfaces on the FortiGate for separate VLANs unless I use VDOMs or unless I don't have the FortiGate manage the FortiSwitch.
Anybody else?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tanr,
Regarding the Question1:
A fortiGate can only have one fortiLink at the moment. This fortiLink can be a single interface or a logical interface (software switch or 802.3ad aggregate interface etc.) In case you plan to use a logical link, make sure you understand the limitations of the logical links.
Regarding Question2:
This is true and this is by design. You can still create VLANs on FortiGate too, but yes it looks bit messy.
Regarding Question3:
Long story short please do not do this. It might work (I tested it in my Lab and it worked), but it is not a supported topology, so at the end of the day FortiNet Support has right to tell you to run off, in case you open a support ticket for any topology that is officially not supported by the FortiGate/FortiLink/FortiSwitch. for Example: The following topology worked in my lab fine, but as per FortiNet support this is not supported officially. ;)
Hope this was helpful.
Thanks & regards,
Prab
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Prab,
Thanks for the info. The picture helps explain your "non-supported" config nicely. What you said matches most of what I've worked out so far.
One additional question I haven't found an answer to yet (I have the question open with TAC) is if there is a good way to have CLI access to the FortiSwitches, not just have them managed by the FortiGate. The switch-controller custom-commands are not sufficient for our needs.
I have seen descriptions of how to set this up with a managed FortiSwitch if it has a dedicated management port. See https://docs.fortinet.com/uploaded/files/2742/manageFSWfromFGT54.pdf "Configuring FortiSwitch Management Port" for details. However I can't seem to get this to work for my 108D-POEs, which have no management port.
Any suggestions on how to get/keep CLI access to the FortiSwitches after they are managed by the FortiGate?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tanr wrote:Hi Prab,
Thanks for the info. The picture helps explain your "non-supported" config nicely. What you said matches most of what I've worked out so far.
One additional question I haven't found an answer to yet (I have the question open with TAC) is if there is a good way to have CLI access to the FortiSwitches, not just have them managed by the FortiGate. The switch-controller custom-commands are not sufficient for our needs.
I have seen descriptions of how to set this up with a managed FortiSwitch if it has a dedicated management port. See https://docs.fortinet.com/uploaded/files/2742/manageFSWfromFGT54.pdf "Configuring FortiSwitch Management Port" for details. However I can't seem to get this to work for my 108D-POEs, which have no management port.
Any suggestions on how to get/keep CLI access to the FortiSwitches after they are managed by the FortiGate?
Hi Tanr,
If the fortiSwitch is being managed by a FortiGate, then it is a generally a bad idea to manage them directly (eg: via SSH, HTTPS etc). Please only make changes to the managed fortiSwitches from the FortiGate. This is because there can be a mismatch between the configurations running on the fortiSwitch and configuration of the fortiSwitch running on the FGT.
Also once the the fortiSwitch is managed via FortiGate (at least FortiOS 5.6.3 & FortiSwitch OS 3.6.3), you can directly establish a CLI connection to the fortiSwitch from the FortiGate. However unfortunately I am not sure if this CLI access can execute all the commands, that you mentioned. For me, I was able to configure everything from the FortiGate on the managed fortiSwitch and never needed to log in directly to the fortiSwitch. Do you have a special case or a reason?
Maybe the FortiNet support can provide some details here?
Thanks & regards,
Prab :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can understand concerns about CLI access when the FortiSwitch is managed by the FortiGate. But how to access the CLI directly (if the FortiSwitch has a management port) is in the documentation, plus multiple places where the documentation says to make a CLI change to the FortiSwitch along with a change from the FortiGate. Hey, what could go wrong? ;->
I've got 3 needs for the FortiSwitch CLI currently:
[ul]I'm sure I'll have other CLI needs in the future. With the larger switches I can just use the management port or the serial port for this. It's just the little 108D-POE that doesn't have one or the other.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tanr wrote:I can understand concerns about CLI access when the FortiSwitch is managed by the FortiGate. But how to access the CLI directly (if the FortiSwitch has a management port) is in the documentation, plus multiple places where the documentation says to make a CLI change to the FortiSwitch along with a change from the FortiGate. Hey, what could go wrong? ;->
I've got 3 needs for the FortiSwitch CLI currently:
[ul]Change the DNS servers it uses (change through custom-command hasn't worked) Change the NTP server it uses (change through custom-command hasn't worked) Display config and diagnostic info from the FortiSwitch (show, get, diag debug, etc.) - again, don't get output when using custom-command[/ul] I'm sure I'll have other CLI needs in the future. With the larger switches I can just use the management port or the serial port for this. It's just the little 108D-POE that doesn't have one or the other.
Hi Tanr,
I just tested to change the DNS settings of the managed fortiSwitch via the CLI access from the FGT & it works.
I am using 5.6.3 FortiOS and 3.6.3 FortiSwitchOS. Also, there are some commands that you can directly execute from the FGT's CLI for eg: diagnose switch-controller dump stp & for some commands you have to establish a CLI access from the FGT GUI to the corresponding fortiSwitch.
Hope it was helpful.
Thanks & regards,
Prab :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info Prab.
I've been able to make the changes I needed by running "exec ssh" on the FortiGate to directly manage the switch. I've also finally been able to access the switch remotely for management from one of our subnets, but only after deauthorizing it, doing a factory reset, and reauthorizing it. Don't know what that cleared up, but I'm happy to have it work.
Still have an issue related to this that I'm working on with TAC. Will try to post here once resolved, if possible.
Related Posts
Labels
-
FortiGate
6,449 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.