Chapter 20 – Managing a FortiSwitch with a FortiGate | Fortinet GURU

Configuration Steps

Configuration consists of the following major steps:

1. Configure “auto-discovery-fortilink enable” on the FortiSwitch ports that you will connect to FGT2. This step is not required if the port is auto-fortilink by default.

2. Add cable connections from FGT2 to the directly-connected FortiSwitches (exact duplicate of FGT1 to the FortiSwitches)

3. Connect HA cables between FGT1 and FGT2

4. At FGT1: configure FortiGate High Availability using the GUI. For additional information, refer to the High Availability chapter in the FortiOS Handbook.

5. At FGT2: Configure FortiGate High Availability using the CLI from the console port. The following parameters must be identical to FGT1:

HA-mode
Priority
Group Name and Password

6. At this point, the FGT1 synchronizes with FGT2. This takes several minutes.

7. Verify the configuration at FGT2 using the following commands:

get ha status

get system ha status

Adding a Switch to Existing HA FortiGates (single FortiLinks)

Connect one FortiSwitch port to each of the FortiGate units. On FGT1, follow the same FortiLink configuration steps as for the non-HA configuration. FGT1 synchronizes the configuration with FGT2.

Configuration Steps

1. Configure two FortiSwitch ports as “auto-discovery-fortilink enable”. This step is not required for any port is auto- fortilink by default.

2. Connect one port to FGT1 and the other port to FGT2.

– The FGT1 and FGT2 port numbers must be identical For example:

– FortiSwitch port21 and port22 connect to FGT1 port4 and FGT2 port4

3. At FGT1, perform the steps to configure FortiLink (as described in FortiLink Configuration):

a. Change an internal port to be the FortiLink port

b. Authorize the FortiSwitch

4. At FGT2, run the command “get switch-controller managed-switch” to verify that the FGT1 configuration was synchronized successfully

Adding a Switch to Existing FGT HA setup (Fortilink LAGs)

In this configuration, connect two FortiSwitch ports to each FortiGate unit. Enter the configuration commands on FGT1 (same commands as for the non-HA configuration). The HA feature synchronizes the configuration to FGT2.

Configuration Steps

1. Configure four FortiSwitch ports as “auto-discovery-fortilink enable”. This step is not required for any port is auto- fortilink by default.

2. Connect two ports to FGT1 and the other ports to FGT2

– the FGT1 and FGT2 port numbers must be the same. For example:

– FortiSwitch port21 and port22 connect to FGT1 port4 and port5 and FortiSwitch port23 and port24 connect to

FGT2 port4 and port5

3. At FGT1, configure the Fortilink LAG (as described in FortiLink Configuration):

a. Create the FortiLink LAG interface and add the physical ports as members

b. Authorize the FortiSwitch

4. At FGT2, run command “get switch-controller managed-switch” to verify that the FGT1 configuration was synchronized successfully

(Optional) Test the HA Capability

Warning: the following is a destructive test that simulates a FortiGate failure. You should conduct this test only in a lab or test network, not in a production network:

1. Disconnect power from FGT1 to simulate failure

2. From the FGT2 UI:

Check Wifi and Switch Controller > Managed FortiSwitch

3. FortiSwitch is now visible from the management interface on FGT2

Optional Setup Tasks

This section describes the following tasks:

Configuring FortiSwitch Management Port
Converting to FortiSwitch Standalone Mode

Configuring FortiSwitch Management Port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

Using the FortiSwitch Web-based Manager

1. Go to Routing

2. Under Static Routes, click Create New

3. Enter the following fields in the New Static Route form:

a. Destination: enter a subnetwork and mask b. Device: select the management interface c. Gateway: enter the gateway IP address

Using the FortiSwitch CLI

Enter the following commands:

config router static edit 1

set device mgmt

set gateway <router IP address>

set dst <router subnet> <subnet mask>

end end

In the following example, the FortiSwitch management port is connected to a router with IP address 192.168.0.10:

config router static edit 1

set device mgmt

set gateway 192.168.0.10

set dst 192.168.0.0 255.255.0.0 end

end

Converting to FortiSwitch Standalone Mode

If a FortiSwitch is operating in managed mode, follow these instructions to convert it to standalone mode.

1. From the switch CLI:

config system global

set mgmt-mode local end

NOTE: FortiSwitch will reboot when you issue the above command.

2. From the FortiGate, use the web-based manager or CLI to perform the following commands before the switch reboot has completed:

Using the Web-based manager

a. Navigate to WiFi & Switch Controller > Managed FortiSwitch.

b. Right-click on the switch and select De–authorize.

Using the CLI

config switch-controller managed-switch edit <switch-id>

set fsw-wan1-admin disable end

end

VLAN Configuration

Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic (traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs).

From the FortiGate, you can centrally configure and manage VLANs for the managed FortiSwitches.

In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in Fortilink mode. The switch supports up to 1023 user-defined VLANs. The user can assign a VLAN number (in the range 1-4095) to each of the VLANs.

You can configure the default VLAN for each port. You can also configure a set of allowed VLANs for each port.

FortiSwitch VLANs Display

The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.

The following figure shows the VLAN page:

Each entry in the VLAN list displays the following information:

Name – name of the VLAN
VLAN ID – the VLAN number.
IP/Netmask – Address and mask of the subnetwork that corresponds to this VLAN
Access
Ref – how many interfaces reference this VLAN.

Creating VLANs

Setting up a VLAN requires:

Creating the VLAN.
Assigning FortiSwitch ports to the VLAN.

Using the web-based manager

Creating the VLAN

1. Go to WiFi & Switch Controller > FortiSwitch VLANs and select Create New. Change the following settings:

Interface Name VLAN name

VLAN ID Enter a number (1-4094)

Color Choose a unique color for each VLAN, for ease of visual display.

IP/Network Mask IP address and network mask for this VLAN.

1. Enable DHCP Server. Set the IP range.

2. Select OK.

Assigning FortiSwitch Ports to the VLAN

1. Go to WiFi & Switch Controller > FortiSwitch Ports

2. Click the rows for ports to select them.

3. Right-click and select Assign VLANS > Native VLAN. Select a VLAN from the list.

The selected ports on the FortiSwitch have now been assigned to the selected VLAN.

4. Right-click and select Assign VLANS > Allowed VLANs .

5. In the dialog box, select an allowed VLAN. Click the + icon to add another allowed VLAN.

The allowed VLANs have now been assigned to the selected ports.

Using the CLI

1. Create the marketing VLAN.

config switch-controller vlan edit <vlan name>

set vlanid <1-4094>

set color <1-32>

end

2. Set the VLAN’s IP address.

config system interface edit <vlan name>

set ip <IP address> <Network mask>

end

3. Enable a DHCP Server.

config system dhcp server edit 1

set default-gateway <IP address>

set dns-service default set interface <vlan name>

config ip-range

set start-ip <IP address>

set end-ip <IP address>

end

set netmask <Network mask>

end

4. Assign ports to the VLAN.

config switch-controller managed-switch edit <Switch ID>

config ports

edit <port name>

end

set vlan <vlan name>

set allowed-vlans <vlan name>

next end

FortiSwitch POE Configuration

You can configure the FortiSwitch POE settings from the FortiGate using the FortiGate web-based manager or CLI commands.

FortiSwitch Ports Display

The WiFi & Switch Controller > FortiSwitch Ports page displays port information about each of the managed switches.

The following figure shows the display for a FortiSwitch 108D-POE:

The switch faceplate displays:

the active ports (green)
the POE-enabled ports (blue rectangle)
the FortiLink port (link icon)

The POE Status displays the total power budget, and the actual power currently allocated.

The allocated power displays a blue bar for the used power (currently being consumed) and a green bar for the reserved power (power available for additional devices on the POE ports). See the following figures:

Each entry in the port list displays the following information:

Port status (red for down, green for up)
Port name
Native VLAN
Allowed VLANs
POE status

Configuring Ports Using the Web Manager

You can use the web manager to enable or disable POE on a port.

Enable or Disable POE on a port

Follow these instructions to configure POE on a port:

1. Navigate to WiFi & Switch Controller > FortiSwitch Ports

2. Click on a row to select the port.

3. Right-click the row, select POE and select Enable POE or Disable POE

Note: when you select a row in the port table, you can also use the Assign VLANs and PoE menus (located just below the page banner), instead of the right-click menu, to configure the values.

Configuring Ports Using the CLI

The following port CLI commands are available:

Set port speed.
Set port admin status
Configure vlan on the port
Enable or Disable the POE power on a per-port basis (available starting in FortiSwitchOS 3.3.0)

Port commands

config switch-controller managed-switch edit <switch>

config ports edit <port>

speed <speed> status {down | up} vlan <vlan_id>

poe-status {enable | disable}

POE commands

The following POE CLI commands are available starting in FortiSwitchOS 3.3.0:

lReset any POE port (by toggling the power OFF and then ON)
Display general POE status

Reset any POE port (by toggling the power OFF and then ON)

execute switch-controller poe-reset <fortiswitch-id> <port>

Display general POE status

get switch-controller <fortiswitch-id> <port>

The following example displays the POE status for port 6 on the specified switch:

# get switch-controller poe FS108D3W14000967 port6

Port(6) Power:3.90W, Power-Status: Delivering Power

Power-Up Mode: Normal Mode

Remote Power Device Type: IEEE802.3AT PD Power Class: 4

Defined Max Power: 30.0W, Priority:3

Voltage: 54.00V Current: 78mA

Troubleshooting

If the FortiGate does not establish the Fortilink connection with the switch, perform the following troubleshooting checks.

Troubleshooting FortiLink Issues

Check the FortiGate configuration

Using the FortiGate GUI, check the FortiLink interface configuration:

1. In Network > Interfaces, double-click the interface used for FortiLink.

2. Ensure that Dedicated to Extension Device is set for this interface.

Using the FortiGate CLI, Verify that you have configured the DHCP and NTP settings correctly. Enter the following commands:

1. Verify that the NTP server is enabled, and the Fortilink interface has been added to the list:

show system ntp

2. Ensure that the DHCP server on the Fortilink interface is configured correctly:

show system dhcp

Check the FortiSwitch configuration

Use the following FortiSwitch CLI commands to check the FortiSwitch configuration:

1. Verify that the switch system time matches the time on the FortiGate:

get system status

2. Verify that FortiGate has sent an IP address to the FortiSwitch.

Typically, the IP address will be in the range of 169.254.x.x:

get system interfaces

3. Verify that you can ping the FortiGate IP address:

exec ping x.x.x.x

Scenarios

This chapter contains practical examples of how to use the FortiSwitch unit to manage a network. The scenarios are as follows:

Scenario 1: Creating the marketing VLAN
Scenario 2: Allowing access to specific users on the marketing VLAN
Scenario 3: Adding a specific device to the marketing VLAN

The Example Network

All the scenarios are interrelated and are used to manage an example network with the following attributes:

The FortiSwitch unit used is a FortiSwitch-224D-POE, serial number FS224D3W14000370.
The FortiSwitch unit’s port 24 connects to port1 on the FortiGate unit.
The LAN is divided into four distinct VLANs, configured as follows:

VLAN

Device(s)

Port(s)

Policy ID(s) GUI Color

marketing

172.20.120.10/255.255.255.0

marketing PCs, marketing laptop

3-6

2, 3

accounting

172.20.130.10/255.255.255.0

accounting PCs

voip

172.20.140.10/255.255.255.0

VoIP phone

access_

point

172.20.150.10/255.255.255.0

FortiAP

There are six devices that connect directly to the FortiSwitch unit’s ports using Ethernet cables: the 3 marketing PCs, the marketing laptop, the VoIP phone, and the FortiAP unit.
The accounting VLAN connects to the FortiSwitch using an SFP port.
There are three marketing employees (Jane Smith, Tom Brown, Bob Lee) who will use the marketing VLAN using the marketing PCs.
The MAC address of the marketing laptop is 01:23:45:67:89:ab.
The IP range for the VoIP phone is 10.10.10.10-10.10.10.50.
The FortiAP unit is a FortiAP-11C, serial number FAP11C3X12000412.

Scenario 1: Creating the Marketing VLAN

For example, if a company has one LAN which is to be used for both the marketing and the accounting department, this LAN can be segmented into two VLANs. This allows the traffic from each department to be isolated, so information packets sent to the marketing department are only sent on the marketing VLAN. It also allowed different policies to be created, so that security can be increased for the accounting department without also increasing it for the marketing department.

The following instructions will create a VLAN to be used by the marketing team for network and Internet access. The marketing team PCs will connect to ports 3-6 on the FortiSwitch.

Using the web-based manager

Creating the VLAN

1. Go to WiFi & Switch Controller > FortiSwitch VLANs and select Create New. Change the following settings:

Interface Name marketing

VLAN ID Enter a number (1-4094)

Color Choose a unique color for each VLAN, for ease of visual display.

IP/Network Mask 172.20.120.10/255.255.255.0

1. Enable DHCP Server. Set the IP range to 172.20.120.11-172.20.120.254.

2. Select OK.

The entry marketing is now shown on the list of VLANs. A marketing interface has also been added, which can be seen by going to Network > Interfaces.

Assigning FortiSwitch Ports to the VLAN

1. Go to WiFi & Switch Controller > FortiSwitch Ports

2. Click the rows for ports 3-6 to select them.

3. Right-click and select Assign VLANS > Native VLAN. Select a VLAN from the list.

Ports 3-6 on the FortiSwitch have now been assigned to the selected VLAN and will appear in red

Using the CLI

1. Create the marketing VLAN.

config switch-controller vlan edit marketing

set vlanid 4 set color 32

end

2. Set the VLAN’s IP address.

config system interface edit marketing

set ip 172.20.120.14 255.255.255.0

end

3. Enable a DHCP Server.

config system dhcp server edit 1

set default-gateway 172.20.120.10 set dns-service default

set interface marketing config ip-range

set start-ip 172.20.120.11 set end-ip 172.20.120.254

end

set netmask 255.255.255.0

end

4. Assign ports 3-6 to the VLAN.

config switch-controller managed-switch edit FS224D3W14000370

config ports edit port3

set vlan marketing next

edit port4

set vlan marketing next

edit port5

set vlan marketing next

edit port6

end

set vlan marketing next

end

Setting up a security policy for the VLAN

The following instructions configure a basic security policy for the marketing VLAN that will allow all traffic from the marketing VLAN to have access to the Internet.

Using the web-based manager

1. Go to Policy & Objects > IPv4 Policy and select Create New. Change the following settings:

Incoming Interface marketing

Source all

Outgoing Interface wan1

Destination Address all

Schedule always

Service ALL

Action ACCEPT

Enable NAT Enable

Fixed Port

IP Pool Configuration

Security Profiles

Logging Options Log all Sessions

2. Select OK.

With this security policy in place, all computers connected to the marketing VLAN can now access the Internet.

Using the CLI

Create a security policy for the marketing VLAN.

config security policy edit 2

set srcintf marketing set dstintf wan1

set srcaddr all set dstaddr all set action accept

set schedule always set service ALL

end

set logtraffic all set nat enable

Scenario 2: Allowing access to specific users on the marketing VLAN

In Scenario 1, the policy for the marketing VLAN will be altered so that different users have different access. The firewall policy will be created so that all three marketing employees (Jane Smith, Tom Brown, Bob Lee) have user accounts. These accounts will be put into one of two groups: full-time and part-time. Full-time employees will always have network access, while part-time employees will only have access on Mondays, Wednesdays and Fridays. This policy will apply to each user when they use any of the PCs that connect to the marketing VLAN through ports 3, 4, 5 or 6 on the FortiSwitch.

Creating a policy to match scenario 1 requires:

Creating users.
Creating groups.
Creating a schedule.
Configuring the firewall policies.

Using the web-based manager

Creating a User Group

1. Go to User & Device > User Groups and select Create New.

2. Name the user group part–time.

3. Set Type as Firewall.

4. Select OK.

The entry part–time will now appear on the user group list. Repeat these steps to create another user group, named full-time.

Creating a User

1. Go to User & Device > User Definition. Select Create New.

2. Use the User Creation Wizard to create a user. In part 1, select Local User.

3. In part 2, change the following settings:

User Name blee

Password password

4. In part 3, enter the email address blee@example.com

5. In part 4, select Enable and User Group. Set part–time as the group.

6. Select Done.

The entry blee will now appear in the user list. Repeat these steps to create user accounts tbrown and jsmith and add both of these accounts to the full-time group.

Creating a Schedule

1. Go to Policy & Objects > Schedules. Select Create New and then select Recurring.

2. Change the following settings:

Name part-time_schedule

Day of the Week Monday, Wednesday, Friday

3. Select OK.

The entry part–time schedule will now appear on the schedules list.

Configuring the Firewall Policy

1. Go to Policy & Objects > IPv4 Policy and select the policy for the marketing VLAN. Select Edit.

2. Set the policy to use the following the following settings, allowing access for part-time employees:

Incoming Interface marketing

Source Address all

Source User(s) part-time

Outgoing Interface wan1

Destination Address all

Schedule part-time_schedule

Service ALL

Action ACCEPT

Enable NAT Enable

Logging Options Log all Sessions

3. Select OK.

4. Go to Policy & Objects > IPv4 Policy and create a new policy.

5. Change the following settings to set access for full-time employees:

	Incoming Interface	marketing
	Source Address	all
	Source User(s)	full-time
	Outgoing Interface	wan1
	Destination Address	all
	Schedule	always
	Service	ALL
	Action	ACCEPT
	Enable NAT	Enable
	Logging Options	Log all Sessions
6.	Select OK.

You have now finished creating the policies that matches scenario 1. These policies will apply to all three users

when they use any of the PCs that connect to the marketing VLAN.

Using the CLI

1. Create the 3 users.

config user local edit blee

set type password set passwd password

edit tbrown

set type password set passwd password

edit jsmith

set type password set passwd password

end

2. Create the 2 user groups and add the users to them.

config user group edit part-time

set group-type firewall set member blee

edit full-time

set group-type firewall set member tbrown jsmith

end

3. Create the schedule for part-time employees.

config firewall schedule recurring edit part-time_schedule

set day monday wednesday friday

end

4. Add user authentication to the firewall policy for the marketing VLAN.

config firewall policy edit 2

set identity-based enable config identity-based-policy

edit 1

set schedule part-time_schedule set logtraffic all

set groups part-time set dstaddr all

set service ALL

next edit 2

set schedule always set logtraffic all set groups full-time set dstaddr all

set service ALL

end

Scenario 3: Adding a specific device to the marketing VLAN

In Scenario 2, a new policy will be created for the marketing VLAN that will be used by the marketing laptop. This policy will affect the marketing laptop that is used periodically for tasks such as boardroom presentations or for guests, tasks for which the laptop requires Internet access. The laptop will access the Internet by connecting to the marketing VLAN through ports 3, 4, 5 or 6 on the FortiSwitch. Adding a new policy for the laptop will allow it to connect without requiring user authentication and will also limit the scope of the device’s access.

Creating a policy to match scenario 2 requires:

Assigning a reserve IP to the laptop.
Creating a firewall address for the reserve IP.
Creating a firewall policy that uses the reserve IP.

Using the web-based manager

Assigning a Reserve IP to the Laptop

1. Go to Network > Interfaces and select marketing.

2. Under DHCP Server, expand the Advanced options.

3. In the MAC Address Access Control List and select Create New.

4. Change the following settings:

MAC 01:23:45:67:89:ab

IP 172.20.120.254

Action Reserve IP

Creating a Firewall Address for the Reserve IP

1. Go to Policy & Objects > Addresses and select Create New.

2. Change the following settings:

Category Address

Name marketing_laptop

Type IP/Netmask

Subnet/IP Range 172.20.120.254

Interface marketing

Configuring a Firewall Policy

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Change the following settings:

Incoming Interface marketing

Source Address marketing_laptop

Outgoing Interface wan1

Destination Address all

Schedule always

Service HTTP HTTPS DNS

Action ACCEPT

Enable NAT Enabled

Logging Options Log all Sessions

3. Select OK.

4. In the policy list, select the column on the far left for the new policy (usually Seq #) and drag the policy above the previous policy for the marketing VLAN. This will ensure that the laptop will be identified through this policy.

You have now finished creating a policy that matches scenario 2. This policy will apply to anyone who uses the laptop to connect to the marketing VLAN using an Ethernet cable.

Using the CLI

1. Assign a reserve IP to the laptop.

config system dhcp server edit 2

config reserved-address edit 1

set action reserved set ip 172.20.120.254

set mac 01:23:45:67:89:ab

end

2. Create a firewall address for the reserve IP.

config firewall address edit marketing_laptop

set subnet 172.20.120.254

end

3. Create a firewall policy for the marketing VLAN that uses the reserve IP.

config firewall policy edit 3

set srcintf marketing set dstintf wan1

set srcaddr marketing_laptop set dstaddr all

set action accept set schedule always

set service HTTP HTTPS DNS

set logtraffic all set nat enable

end

4. Place the new firewall policy at the top of the policy list.

config firewall policy move 2 after 3

end

Address Name marketing VLAN

Type Subnet

Subnet/IP Range 172.20.120.14/255.255.255.0

Interface marketing

Name marketing-remote

Enable Tunnel Mode Enable

Enable Split Tunneling Disable

IP Pools SSLVPN_TUNNEL_ADDR1

Enable Web Mode Enable

Incoming Interface ssl.root (sslvpn tunnel interface)

Source Address marketing_laptop

Outgoing Interface marketing

Destination Address all

Schedule always

Service ALL

Action ACCEPT

Enable NAT Enabled

Logging Options Log all Sessions

Incoming Interface ssl.root (sslvpn tunnel interface)

Source Address marketing_laptop

Outgoing Interface wan1

Destination Address all

Schedule always

Service HTTP HTTPS DNS

Action ACCEPT

Enable NAT Enabled

Logging Options Log all Sessions

The FortiClient SSL VPN tunnel client will also need to be configured, in order for the Tom Brown to connect to the SSL VPN tunnel.

The SFP ports should only be used to connect UL-listed optical transceiver products, rated Laser Class 1.33V DC.

SFP ports are only available on certain FortiSwitch models. SFP ports are also shared with Ethernet ports and so when an SFP port is used, the Ethernet port with the same number cannot be.

Name accounting

Color

IP/Network Mask 172.20.130.15/255.255.255.0

Incoming Interface accounting

Source Address all

Outgoing Interface wan1

Destination Address all

Schedule always

Service ALL

Action ACCEPT

Enable NAT Enabled

Logging Options Log all Sessions

Name voip

Color

IP/Network Mask 172.20.140.16/255.255.255.0

Category Address

Name voip

Color

Type IP Range

Subnet/IP Range 10.10.10.10-10.10.10.50

Interface voip

Incoming Interface voip

Source Address voip_phone

Outgoing Interface wan1

Destination Address all

Schedule always

Service SIP

Action ACCEPT

Enable NAT Enabled

Logging Options Log all Sessions

Name access_point

Color

IP/Network Mask 172.20.150.17/255.255.255.0

DHCP Server Enable

Name WLAN

Type WiFi SSID

Traffic Mode Tunnel to Wireless Controller

IP/Network Mask 172.20.150.17/255.255.255.0

DHCP Server Enabled

SSID wireless

Pre–shared Key password

Incoming Interface access_point

Outgoing Interface wan1

Destination Address all

Schedule always

Service HTTP HTTPS DNS

Action ACCEPT

Enable NAT Enabled

Logging Options Log all Sessions

Pages: 1 2

Fortinet GURU

FortiGate Guides and MORE!

Chapter 20 – Managing a FortiSwitch with a FortiGate

Leave a Reply Cancel reply

Share this:

Leave a Reply Cancel reply