FortiLink configuration using the FortiGate CLI

FortiLink configuration using the FortiGate CLI

This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

You can also configure FortiLink mode over a layer-3 network.

Summary of the procedure

  1. Configure FortiLink on a physical port or configure FortiLink on a logical interface.
  2. Configure NTP.
  3. Authorize the managed FortiSwitch unit.
  4. Configure DHCP.

Configure FortiLink on a physical port

Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.

In the following steps, port 1 is configured as the FortiLink port.

  1. If required, remove port 1 from the lan interface:

config system virtual-switch edit lan config port delete port1

end

end

end

  1. Configure port 1 as the FortiLink interface:

config system interface edit port1 set auto-auth-extension-device enable set fortilink enable

end

end

  1. Configure an NTP server on port 1:

config system ntp set server-mode enable set interface port1 end

 

  1. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370 set fsw-wan1-admin enable

end

end

NOTE: The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.

Configure FortiLink on a logical interface

You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch).

NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Ensure that you configure autodiscovery on the FortiSwitch ports (unless it is auto-discovery by default).

In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

  1. If required, remove the FortiLink ports from the lan interface:

config system virtual-switch edit lan config port delete port4 delete port5

end

end

end

  1. Create a trunk with the two ports that you connected to the switch:

config system interface edit flink1 (enter a name, 11 characters maximum) set ip 169.254.3.1 255.255.255.0 set allowaccess ping capwap https set vlanforward enable set type aggregate set member port4 port5 set lacp-mode static set fortilink enable

(optional) set fortilink-split-interface enable next

end

NOTE: If the members of the aggregate interface connect to more than one FortiSwitch, you must enable fortilink-split-interface.

  1. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370

set fsw-wan1-admin enable

end

end

NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.

Enable multiple FortiLink interfaces

NOTE: Only the first FortiLink interface has GUI support.

Use the following command to enable or disable multiple FortiLink interfaces.

config switch-controller global set allow-multiple-interfaces {enable | disable}

end

FortiLink mode over a layer-3 network

This feature allows FortiSwitch islands (FSIs) to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FSIs contain one or more FortiSwitch units.

The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network:

  • All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
  • No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
  • All FortiSwitch units within an FSI must be connected to the same FortiGate unit.
  • The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x.
  • Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
  • If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FSI can contain only one FortiSwitch unit. All switch ports must remain in standalone mode.
  • Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
  • If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.

To configure a FortiSwitch unit to operate in a layer-3 network:

  1. Reset the FortiSwitch to factory default settings with the execute factoryreset
  2. Manually set the FortiSwitch unit to FortiLink mode:

config system global

set switch-mgmt-mode fortilink end

  1. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery.

The default dhcp-option-code is 138.

To use DHCP discovery:

config switch-controller global      set ac-discovery dhcp      set dhcp-option-code <integer> end

To use static discovery:

config switch-controller global

set ac-discovery static

config ac-list

edit <id>

set ipv4-address <IPv4_address>

next

end

end

  1. Configure at least one port of the FortiSwitch unit as an uplink port. When the FortiSwitch is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

config switch interface edit <port_number> set fortilink-l3-mode enable

end

end

NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.

This entry was posted in Administration Guides, FortiOS 6, FortiSwitch on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiLink configuration using the FortiGate CLI

  1. Brian

    Is it possible to remove the fortilink interface setting on a Fortigate 40F and add it to the hardware switch like interfaces 1-3 are by default? Won’t be using a Fortiswitch, so it’s just a burned port at this point.

    Thanks and love your site!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.