FortiLink

FortiLink

FortiGate units can be used to remotely manage FortiSwitch units, which is also known as using a FortSwitch in FortiLink mode. FortiLink defines the management interface and the remote management protocol between the FortiGate and FortiSwitch.

Supported FortiSwitch models

The following table shows the FortiSwitch models that support FortiLink mode when paired with the corresponding FortiGate models and the listed minimum software releases.

FortiSwitch FortiGate Earliest FortiSwitchOS Earlist FortiOS
FS-224D-POE FGT-90D (Wifi/POE) 3.0.0 5.2.2
FS-108D-POE FGT-60D (all) 3.0.1 5.2.3
FSR-112D-POE FGR-90D 3.0.1 5.2.3
FS-124D FGT-90D + FGT-60D 3.0.1 5.2.3
FS-124D-POE FGT-90D + FGT-60D 3.0.1 5.2.3
FS-224D-FPOE FGT-90D + FGT-60D 3.0.1 5.2.3

Note that all FortiSwitches above also support FortiLink mode when paired with the following FortiGate models: 100D, 140D (POE, T1), 200D, 240D, 280D (POE), 600C, 800C, and 1000C.

FortiLink ports for each FortiSwitch model

Each FortiSwitch model provides one designated port for the FortiLink connection. The table below lists the FortiLink port for each model:

FortiSwitch model Port for FortiLink connection
FS-28C WAN port 1
FS-324B-POE Management Port
FS-448B (10G only) WAN port (uplink 1)

 

FortiSwitch model                                Port for FortiLink connection
FS-348B                                                 Last port (port 48)
For all D-series switches, use the last (highest number) port for FortiLink. For example:
FS-108D-POE                                         Last port (port 10)
FSR-112D-POE                                       Last port (port 12)
FS-124D                                                 Last port (port 26). May require an SFP module.*
FS-224D-POE                                         Last port (port 24)
FS-224D-FPOE                                       Last port (port 28). May require an SFP module.*

* FortiSwitch 3.3.1 and later releases support the use of an RJ-45 port for FortiLink. Please contact Fortinet Customer Service & Support for additional information.

FortiLink ports for each FortiGate model

The following table shows the ports for each model of FortiGate that can be FortiLink-dedicated.

FortiGate model Port for FortiLink connection
FGT-90D, FGT-90D-POE, FWF-90D, FWF-90D-POE port1 – port14
FGT-60D, FGT-60D-POE, FWF-60D, FWF-60D-POE port1 – port7
FGT-100D port1 – port16
FGT-140D , 140D-POE, 140D-POE-T1 port1 – port36
FGT-200D port1 – port16
FGT-240D port1 – port40
FGT-280D, FGT-280D-POE port1 – port84
FGT-600C port3 – port22
FGT-800C port3 – port24
FGT-1000C port3 – port14, port23, port24

FortiLink

Auto-discovery of the FortiSwitch ports

In releases FortiSwitchOS 3.3.0 and beyond, the D-series FortiSwitch models support FortiLink auto-discovery, which is automatic detection of the port connected to the FortiGate.

You can use any of the switch ports for FortiLink. Use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:

config switch interface edit <port> set auto-discovery-fortilink enable

end

Note that some FortiSwitch ports are enabled for auto-discovery by default.

Each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery by default. If you connect the FortiLink using one of these ports, no switch configuration is required.

In general (in FortiSwitchOS 3.4.0 and later releases), the last four ports are the default auto-discovery FortiLink ports. The table below lists the default auto-discovery ports for each switch model:

FortiSwitch model Default Auto-FortiLink ports
FS-108D ports 9 and 10
FSR-112D ports 9, 10, 11, and 12
FS-124D, FS-124D-POE ports 23, 24, 25, and 26
FS-224D-POE ports 21, 22, 23, and 24
FS-224D-FPOE ports 25, 26, 27, and 28
FS-248D-POE ports 49, 50, 51, and 52
FS-248D-FPOE ports 49, 50, 51, and 52
FS-424D, FS-424D-POE, FS-424D-FPOE ports 25 and 26
FS-448D, FS-448D-POE, FS-448D-FPOE ports 49, 50, 51, and 52
FS-524D, FS-524D-FPOE ports 25, 26, 27, 28, 29, and 30
FS-548D, FS-548D-FPOE ports 49, 50, 51, 52, 53, and 54
FS-1024D, FS-1048D, FS-3032D all ports

You can also run the show switch interface CLI command on the FortiSwitch to see the ports that have auto-discovery enabled.

Adding a Managed FortiSwitch to the FortiGate

The following steps show how to add a new managed FortiSwitch using the FortiGate GUI or the CLI.

Using the FortiGate GUI:

  1. Connect a cable from the designated FortiSwitch port to an unused port on the FortiGate. Refer to FortiLink ports for each FortiSwitch model for additional information.
  2. Go to Network > Interfaces and edit an internal port on the FortiGate.
  3. Set Addressing mode to Dedicated to FortiSwitch and select OK.
  4. As of FortiOS 5.4.0, the Managed FortiSwitch GUI option can only be accessed by enabling it through the CLI console.

Open the CLI console and enter the following command to make the switch controller available in the GUI, and to set the reserved subnetwork for the controller:

config system global set switch-controller enable

set switch-controller-reserved-network 169.254.254.0 255.255.255.0

end

  1. Go to WiFI & Switch Controller > Managed FortiSwitch. The new FortiSwitch should now be displayed in the table.
  2. Right-click on the FortiSwitch and select Authorize.

Using the FortiGate CLI:

Note that, for the example shown below, the FortiGate’s port1 is configured as the FortiLink port.

  1. If required, remove port1 from the lan interface:

config system virtual-switch edit lan config port delete port1

end

end

end

  1. Configure the interface for port1:

config system interface edit port1 set ip 172.20.120.10 255.255.255.0 set allowaccess capwap set vlanforward enable

end

end

  1. Configure an NTP server on port1:

config system ntp set server-mode enable set interface port1

end

  1. Authorize the FortiSwitch unit as a managed switch (note that that FortiSwitch will reboot once you issue the command below):

config switch-controller managed-switch

FortiLink

edit FS224D3W14000370 set fsw-wan1-admin enable

end

end

  1. Configure a DHCP server on port1:

config system dhcp server edit 0 set netmask 255.255.255.252 set interface port1 config ip-range edit 0 set start-ip 169.254.254.2 set end-ip 169.254.254.50

end

set vci-match enable set vci-string FortiSwitch set ntp-service local

end

end

Set the FortiSwitch to Remote Management mode

Use the FortiSwitch GUI or the CLI to set the remote management mode.

Note that the following steps are not necessary for FortiSwitchOS releases 3.3.0 or later.

Using the FortiSwitch GUI:

  1. Go to System > Dashboard > Status and locate the System Information
  2. Beside Operation Mode, select Change.
  3. Change Management Mode to FortiGate Remote Management and select OK.
  4. A warning will appear asking if you wish to continue. Select OK.

Using the FortiSwitch CLI:

config system global set switch-mgmt-mode fortilink

end

Configuring the FortiSwitch Remote Management port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

To do this, from the FortiSwitch CLI, enter the following command:

config router static edit 1 set device mgmt

set gateway <router_IP_address> set dst <router_subnet> <subnet_mask>

end end

Configuring FortiLink LAG

Starting with FortiOS 5.4.0 and FortiSwitchOS 3.3.0, you can configure the Fortilink as a Link Aggregation Group (LAG) to provide increased bandwidth between the FortiGate and FortiSwitch.

Connect any two ports on the FortiGate to two ports on the FortiSwitch. Make sure that you use the designated Fortilink port as one of the ports on the switch.

To configure the Fortilink as a LAG on the FortiGate, create a trunk (of type fortilink) with the two ports that you connected to the switch:

config system interface edit “fortilink” set vdom root

set allowaccess ping capwap http https set type fortilink set member port4 port5 set snmp-index 17 set lacp-mode static

next

end config system ntp set ntpsync enable set syncinterval 60 set server-mode enable set interface “fortilink”

end

There is no specific configuration required for the LAG on the switch.

 

This entry was posted in FortiGate, FortiSwitch on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.