Category Archives: FortiSwitch

FortiLink configuration using the FortiGate CLI

FortiLink configuration using the FortiGate CLI

This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

You can also configure FortiLink mode over a layer-3 network.

Summary of the procedure

  1. Configure FortiLink on a physical port or configure FortiLink on a logical interface.
  2. Configure NTP.
  3. Authorize the managed FortiSwitch unit.
  4. Configure DHCP.

Configure FortiLink on a physical port

Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.

In the following steps, port 1 is configured as the FortiLink port.

  1. If required, remove port 1 from the lan interface:

config system virtual-switch edit lan config port delete port1

end

end

end

  1. Configure port 1 as the FortiLink interface:

config system interface edit port1 set auto-auth-extension-device enable set fortilink enable

end

end

  1. Configure an NTP server on port 1:

config system ntp set server-mode enable set interface port1 end

 

  1. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370 set fsw-wan1-admin enable

end

end

NOTE: The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.

Configure FortiLink on a logical interface

You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch).

NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Ensure that you configure autodiscovery on the FortiSwitch ports (unless it is auto-discovery by default).

In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

  1. If required, remove the FortiLink ports from the lan interface:

config system virtual-switch edit lan config port delete port4 delete port5

end

end

end

  1. Create a trunk with the two ports that you connected to the switch:

config system interface edit flink1 (enter a name, 11 characters maximum) set ip 169.254.3.1 255.255.255.0 set allowaccess ping capwap https set vlanforward enable set type aggregate set member port4 port5 set lacp-mode static set fortilink enable

(optional) set fortilink-split-interface enable next

end

NOTE: If the members of the aggregate interface connect to more than one FortiSwitch, you must enable fortilink-split-interface.

  1. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370

set fsw-wan1-admin enable

end

end

NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.

Enable multiple FortiLink interfaces

NOTE: Only the first FortiLink interface has GUI support.

Use the following command to enable or disable multiple FortiLink interfaces.

config switch-controller global set allow-multiple-interfaces {enable | disable}

end

FortiLink mode over a layer-3 network

This feature allows FortiSwitch islands (FSIs) to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FSIs contain one or more FortiSwitch units.

The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network:

  • All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
  • No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
  • All FortiSwitch units within an FSI must be connected to the same FortiGate unit.
  • The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x.
  • Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
  • If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FSI can contain only one FortiSwitch unit. All switch ports must remain in standalone mode.
  • Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
  • If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.

To configure a FortiSwitch unit to operate in a layer-3 network:

  1. Reset the FortiSwitch to factory default settings with the execute factoryreset
  2. Manually set the FortiSwitch unit to FortiLink mode:

config system global

set switch-mgmt-mode fortilink end

  1. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery.

The default dhcp-option-code is 138.

To use DHCP discovery:

config switch-controller global      set ac-discovery dhcp      set dhcp-option-code <integer> end

To use static discovery:

config switch-controller global

set ac-discovery static

config ac-list

edit <id>

set ipv4-address <IPv4_address>

next

end

end

  1. Configure at least one port of the FortiSwitch unit as an uplink port. When the FortiSwitch is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

config switch interface edit <port_number> set fortilink-l3-mode enable

end

end

NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.

FortiLink configuration using the FortiGate GUI

FortiLink configuration using the FortiGate GUI

You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

Summary of the procedure

  1. On the FortiGate unit, configure the FortLink port or create a logical FortLink interface.
  2. Authorize the managed FortiSwitch unit.

Configure FortiLink as a single link

To configure the FortiLink port on the FortiGate unit:

  1. Go to Network > Interfaces.
  2. (Optional) If the FortiLink physical port is currently included in the internal interface, edit it and remove the desired port from the Physical Interface Members.
  3. Edit the FortiLink port.
  4. Set Addressing mode to Dedicated to FortiSwitch.
  5. Configure the IP/Network Mask for your network.
  6. Optionally select Automatically authorize devices or disable to manually authorize the FortiSwitch.
  7. Select OK.

Configure FortiLink as a logical interface

You can configure the FortiLink as a logical interface: link-aggregation group (LAG), hardware switch, or software switch).

LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate unit to the FortiSwitch unit. Ensure that you configure auto-discovery on the FortiSwitch ports (unless it is so by default).

  1. Go to Network > Interfaces.
  2. (Optional) If the FortiLink physical ports are currently included in the internal interface, edit the internal interface, and remove the desired ports from the Physical Interface Members.
  3. Select Create New > Interface.
  4. Enter a name for the interface (11 characters maximum).
  5. Set the Type to 3ad Aggregate, Hardware Switch, or Software Switch.
  6. Select the FortiGate ports for the logical interface.
  7. Set Addressing mode to Dedicated to FortiSwitch.
  8. Configure the IP/Network Mask for your network.
  9. Optionally select Automatically authorize devices or disable to manually authorize the FortiSwitch.
  10. Select OK.

FortiLink split interface

You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).

You must enable the split interface on the FortiLink aggregate interface using the FortiGate CLI:

config system interface edit <name of the FortiLink interface> set fortilink-split-interface enable

end

Authorizing the FortiSwitch unit

If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

Adding preauthorized FortiSwitch units

After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Click Create New.
  3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
  4. Move the Authorized slider to the right.
  5. Click OK.

The Managed FortiSwitch page shows a FortiSwitch faceplate for the preauthorized switch.

 

Managed FortiSwitch display

Go to WiFi & Switch Controller> Managed FortiSwitch to see all of the switches being managed by your FortiGate.

When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on the FortiSwitch faceplate), and the link between the ports is a solid line.

If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still edit the FortiSwitch unit though and find more information about the status of the switch. The link to the FortiSwitch unit might be down for a number of reasons; for example, a problem with the cable linking the two devices, firmware versions being out of synch, and so on. You need to make sure the firmware running on the FortiSwitch unit is compatible with the firmware running on the FortiGate unit.

From the Managed FortiSwitch page, you can edit any of the managed FortiSwitch units, remove a FortiSwitch unit from the configuration, refresh the display, connect to the CLI of a FortiSwitch unit, or deauthorize a FortiSwitch unit.

Edit a managed FortiSwitch unit

To edit a managed FortiSwitch unit:

  1. Go to Wifi & Switch Controller> Managed FortiSwitch.
  2. Click on the FortiSwitch to and click Edit, right-click on a FortiSwitch unit and select Edit, or double-click on a FortiSwitch unit.

From the Edit Managed FortiSwitch form, you can:

  • Change the Name and Description of the FortiSwitch unit. l View the Status of the FortiSwitch unit.
  • Restart the FortiSwitch.
  • Authorize or deauthorize the FortiSwitch. l Update the firmware running on the switch.

Network interface display

On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch unit. The GUI indicates Dedicated to FortiSwitch in the IP/Netmask field.

Add link aggregation groups (Trunks)

To create a link aggregation group for FortiSwitch user ports:

  1. Go to WiFi & Switch Controller> FortiSwitch Ports.
  2. Click Create New > Trunk.
  3. In the New Trunk Group page, enter a Name for the trunk group.
  4. Select two or more physical ports to add to the trunk group.
  5. Select the Mode: Static, Passive LACP, or Active LACP.
  6. Click OK.

Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed FortiSwitch ports

Go to WiFi & Switch Controller> FortiSwitch Ports. Right-click any port and then enable or disable the following features:

  • DHCP blocking—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
  • IGMP snooping—IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.
  • Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network topology.
  • Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP.
  • STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
  • STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

 

Connecting FortiLink ports

Connecting FortiLink ports

This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink connection.

In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch ports (depending on the model) support auto-discovery of the FortiLink ports.

You can chose to connect a single FortiLink port or multiple FortiLink ports as a logical interface (link-aggregation group, hardware switch, or software switch).

1. Enable the switch controller on the FortiGate unit

Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the FortiGate unit with the FortiGate web-based manager or CLI to enable the switch controller. Depending on the FortiGate model and software release, this feature might be enabled by default.

Using the FortiGate GUI

  1. Go to System > Feature Visibility.
  2. Turn on the Switch Controller feature, which is in the Basic Features
  3. Select Apply.

The menu option WiFi & Switch Controller now appears.

Using the FortiGate CLI

Use the following commands to enable the switch controller:

config system global set switch-controller enable

end

2. Connect the FortiSwitch unit and FortiGate unit

FortiSwitchOS 3.3.0 and later provides flexibility for FortiLink:

  • Use any switch port for FortiLink l Provides auto-discovery of the FortiLink ports on the FortiSwitch
  • Choice of a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG)

Auto-discovery of the FortiSwitch ports

In FortiSwitchOS 3.3.0 and later releases, D-series FortiSwitch models support FortiLink auto-discovery, on automatic detection of the port connected to the FortiGate unit.

You can use any of the switch ports for FortiLink. Before connecting the switch to the FortiGate unit, use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:

config switch interface edit <port>

set auto-discovery-fortilink enable

end

By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect the FortiLink using one of these ports, no switch configuration is required.

In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface command on the FortiSwitch unit to see the ports that have autodiscovery enabled.

The following table lists the default auto-discovery ports for each switch model.

NOTE: Any port can be used for FortiLink if it is manually configured.

FortiSwitch Model Default Auto-FortiLink ports
FS-108D ports 9 and 10
FS-108D-POE ports 9 and 10
FSR-112D ports 9, 10, 11 and 12
FSR-112D-POE ports 5, 6, 7, 8, 9, 10, 11, and 12
FS-124D, FS-124D-POE ports 23, 24, 25, and 26
FS-224D-POE ports 21, 22, 23, and 24
FS-224D-FPOE ports 21, 22, 23, 24, 25, 26, 27, and 28
FS-248D, FS-248D-FPOE, FS-448D, FS448D-FPOE, FS-448D-POE ports 45, 46, 47, 48, 49, 50, 51, and 52
FS-248D-POE ports 47, 48, 49, and 50
FS-424D, FS-424D-POE, FS-424D-FPOE ports 23, 24, 25, and 26
FS-524D, FS-524D-FPOE ports 21, 22, 23, 24, 25, 26, 27, 28, 29, and 30
FS-548D, FS-548D-FPOE ports 45, 46, 47, 48, 49, 50, 51, 52, 53, and 54
FS-1024D, FS-1048D, FS-3032D all ports

Choosing the FortiGate ports

The FortiGate unit manages all of the switches through one active FortiLink. The FortiLink can consist of one port or multiple ports (for a LAG).

  1. Connect the FortiSwitch unit and FortiGate unit Connecting FortiLink ports

As a general rule, FortiLink is supported on all ports that are not listed as HA ports.

 

Upgrade the firmware on multiple FortiSwitch units at the same time using the GUI

Upgrade the firmware on multiple FortiSwitch units at the same time using the GUI (462553)

To upgrade the firmware on multiple FortiSwitch units at the same time:

  1. Go to WiFi & Switch Controller> Managed FortiSwitch.
  2. Select the faceplates of the FortiSwitch units that you want to upgrade.
  3. Click Upgrade.

The Upgrade FortiSwitches page opens.

  1. Select FortiGuard or select Upload and then select the firmware file to upload.

You can select only one firmware image to use to upgrade the selected FortiSwitch units. If the FortiSwitch unit already has the latest firmware image, it will not be upgraded.

  1. Select Upgrade.

CLI changes for FortiLink mode

CLI changes for FortiLink mode (447349, 473773)

There are changes to the execute switch-controller get-physical-connection, execute switch-controller get-conn-status, and diagnose switch-controller dump networkupgrade status CLI commands.

  • The execute switch-controller get-physical-connection CLI command has new parameters:

Use the execute switch-controller get-physical-connection standard command to get the FortiSwitch stack connectivity graph in the standard output format.

Use the execute switch-controller get-physical-connection dot command to get the

FortiSwitch stack connectivity graph in a .dot (Graphviz) output format.

  • The execute switch-controller get-conn-status CLI command output now includes virtual

FortiSwitch units. Virtual FortiSwitch units are indicated by an asterisk (*) after the switch identifier. For example:

execute switch-controller get-conn-status

STACK-NAME: FortiSwitch-Stack-port2      
SWITCH-ID            VERSION STATUS ADDRESS JOIN-TIME NAME
S108DV2EJZDAC42F     v3.6.0 Authorized/Up 169.254.2.4 Thu Feb 8 17:07:35 2018
S108DV4FQON40Q07     v3.6.0 Authorized/Up 169.254.2.5 Thu Feb 8 17:08:37 2018
S108DVBWVLH4QGEB     v3.6.0 Authorized/Up 169.254.2.6 Thu Feb 8 17:09:13 2018
S108DVCY19SA0CD8     v3.6.0 Authorized/Up 169.254.2.2 Thu Feb 8 17:04:41 2018
S108DVD98KMQGC44* v3.6.0 Authorized/Up 169.254.2.7 Thu Feb 8 17:10:50 2018
S108DVGGBJLQQO48* v3.6.0 Authorized/Up 169.254.2.3 Thu Feb 8 17:06:57 2018
S108DVKM5T2QEA92     v3.6.0 Authorized/Up 169.254.2.8 Thu Feb 8 17:11:00 2018
S108DVZX3VTAOO45     v3.6.0 Authorized/Up 169.254.2.9 Thu Feb 8 17:11:00 2018
Managed-Switches: 8 UP: 8 DOWN: 0      
  • The diagnose switch-controller dump network-upgrade status CLI command output now

includes the location of the image that is loaded when the FortiSwitch unit is restarted. If the Next boot column is blank, the FortiSwitch unit uses the same location each it is restarted. The status column shows the percentage downloaded, the percentage erased in flash memory, and the percentage written to flash memory.

For example:

diagnose switch-controller dump network-upgrade status

Running                                       Status       Next boot

__________________ ________________________________________ _________ ___________________________ VDOM : root

S108DVCY19SA0CD8 S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0) S108DV-v3.7.0build4277,171207 (Interim)

S108DV2EJZDAC42F S108DV-v3.6.0-build4277,171207 (Interim) (0/0/0)

Limiting the number of parallel process for FortiSwitch configuration (457103)

Limiting the number of parallel process for FortiSwitch configuration (457103)

Use the following CLI commands to reduce the number of parallel process that the switch controller uses for configuring FortiSwitch units: config global config switch-controller system set parallel-process-override enable set parallel-process <1-300>

end

end

FortiLink mode supported over a layer-3 network

FortiLink mode supported over a layer-3 network (457103)

This feature allows FortiSwitch islands (FSIs) to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FSIs contain one or more FortiSwitch units.

The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network:

  • All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
  • No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
  • All FortiSwitch units within an FSI must be connected to the same FortiGate unit.
  • The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x.
  • Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
  • If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FSI can contain only one FortiSwitch unit. All switch ports must remain in standalone mode.
  • Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
  • If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.

To configure a FortiSwitch unit to operate in a layer-3 network:

  1. Reset the FortiSwitch to factory default settings with the execute factoryreset
  2. Manually set the FortiSwitch unit to FortiLink mode:

config system global

set switch-mgmt-mode fortilink end

  1. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery.

The default dhcp-option-code is 138.

To use DHCP discovery:

config switch-controller global      set ac-discovery dhcp      set dhcp-option-code <integer> end

To use static discovery:

config switch-controller global

set ac-discovery static

config ac-list

edit <id>

set ipv4-address <IPv4_address>

next

end

end

  1. Configure at least one port of the FortiSwitch unit as an uplink port. When the FortiSwitch is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

config switch interface edit <port_number> set fortilink-l3-mode enable

end

end

NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.

Testing 802.1x authentication with monitor mode (480807)

Testing 802.1x authentication with monitor mode (480807)

Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.

To enable or disable monitor mode, use the following commands:

config switch-controller security-policy 802-1X edit “<policy_name>”

set open-auth {enable | disable}

next

end