FortiLink configuration using the FortiGate GUI

FortiLink configuration using the FortiGate GUI

You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

Summary of the procedure

  1. On the FortiGate unit, configure the FortLink port or create a logical FortLink interface.
  2. Authorize the managed FortiSwitch unit.

Configure FortiLink as a single link

To configure the FortiLink port on the FortiGate unit:

  1. Go to Network > Interfaces.
  2. (Optional) If the FortiLink physical port is currently included in the internal interface, edit it and remove the desired port from the Physical Interface Members.
  3. Edit the FortiLink port.
  4. Set Addressing mode to Dedicated to FortiSwitch.
  5. Configure the IP/Network Mask for your network.
  6. Optionally select Automatically authorize devices or disable to manually authorize the FortiSwitch.
  7. Select OK.

Configure FortiLink as a logical interface

You can configure the FortiLink as a logical interface: link-aggregation group (LAG), hardware switch, or software switch).

LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate unit to the FortiSwitch unit. Ensure that you configure auto-discovery on the FortiSwitch ports (unless it is so by default).

  1. Go to Network > Interfaces.
  2. (Optional) If the FortiLink physical ports are currently included in the internal interface, edit the internal interface, and remove the desired ports from the Physical Interface Members.
  3. Select Create New > Interface.
  4. Enter a name for the interface (11 characters maximum).
  5. Set the Type to 3ad Aggregate, Hardware Switch, or Software Switch.
  6. Select the FortiGate ports for the logical interface.
  7. Set Addressing mode to Dedicated to FortiSwitch.
  8. Configure the IP/Network Mask for your network.
  9. Optionally select Automatically authorize devices or disable to manually authorize the FortiSwitch.
  10. Select OK.

FortiLink split interface

You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).

You must enable the split interface on the FortiLink aggregate interface using the FortiGate CLI:

config system interface edit <name of the FortiLink interface> set fortilink-split-interface enable

end

Authorizing the FortiSwitch unit

If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

Adding preauthorized FortiSwitch units

After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Click Create New.
  3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
  4. Move the Authorized slider to the right.
  5. Click OK.

The Managed FortiSwitch page shows a FortiSwitch faceplate for the preauthorized switch.

 

Managed FortiSwitch display

Go to WiFi & Switch Controller> Managed FortiSwitch to see all of the switches being managed by your FortiGate.

When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on the FortiSwitch faceplate), and the link between the ports is a solid line.

If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still edit the FortiSwitch unit though and find more information about the status of the switch. The link to the FortiSwitch unit might be down for a number of reasons; for example, a problem with the cable linking the two devices, firmware versions being out of synch, and so on. You need to make sure the firmware running on the FortiSwitch unit is compatible with the firmware running on the FortiGate unit.

From the Managed FortiSwitch page, you can edit any of the managed FortiSwitch units, remove a FortiSwitch unit from the configuration, refresh the display, connect to the CLI of a FortiSwitch unit, or deauthorize a FortiSwitch unit.

Edit a managed FortiSwitch unit

To edit a managed FortiSwitch unit:

  1. Go to Wifi & Switch Controller> Managed FortiSwitch.
  2. Click on the FortiSwitch to and click Edit, right-click on a FortiSwitch unit and select Edit, or double-click on a FortiSwitch unit.

From the Edit Managed FortiSwitch form, you can:

  • Change the Name and Description of the FortiSwitch unit. l View the Status of the FortiSwitch unit.
  • Restart the FortiSwitch.
  • Authorize or deauthorize the FortiSwitch. l Update the firmware running on the switch.

Network interface display

On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch unit. The GUI indicates Dedicated to FortiSwitch in the IP/Netmask field.

Add link aggregation groups (Trunks)

To create a link aggregation group for FortiSwitch user ports:

  1. Go to WiFi & Switch Controller> FortiSwitch Ports.
  2. Click Create New > Trunk.
  3. In the New Trunk Group page, enter a Name for the trunk group.
  4. Select two or more physical ports to add to the trunk group.
  5. Select the Mode: Static, Passive LACP, or Active LACP.
  6. Click OK.

Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed FortiSwitch ports

Go to WiFi & Switch Controller> FortiSwitch Ports. Right-click any port and then enable or disable the following features:

  • DHCP blocking—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
  • IGMP snooping—IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.
  • Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network topology.
  • Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP.
  • STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
  • STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

 

This entry was posted in Administration Guides, FortiOS 6, FortiSwitch on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiLink configuration using the FortiGate GUI

  1. Mike Butash

    Curious if you’ve ever tried FortiSwitch interoperability with something else running MST, like Arista switches. So far my fortiswitch just dies if configuring any mst commands from the fortigate or the fortiswitch direct, not a pleasant experience.

    I have made everything from Juniper, Cisco, Arista, HP, 3com, Dell, Netgear, Linksys, and about any other platform work with mst with some degree of success, but not fortigate so far…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.