Fortinet Communication Ports and Protocols > FortiLink

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/08-FortiLink.htm

Chapter 12 - Fortinet Communication Ports and Protocols > FortiLink

FortiLink

FortiGate units can be used to remotely manage FortiSwitch units, which is also known as using a FortiSwitch in FortiLink mode. FortiLink defines the management interface and the remote management protocol between the FortiGate and FortiSwitch.

Adding a Managed FortiSwitch to the FortiGate

The following steps show how to add a new managed FortiSwitch using the FortiGate GUI or the CLI.

note icon For FortiSwitchOS releases prior to 3.3.0, you must Set the FortiSwitch to Remote Management mode before following the steps below.

Using the FortiGate GUI:
  1. Connect a cable from the designated FortiSwitch port to an unused port on the FortiGate. Refer to FortiLink ports for each FortiSwitch model for additional information.
  2. Go to Network > Interfaces and edit an internal port on the FortiGate.
  3. Set Addressing mode to Dedicated to FortiSwitch and select OK .
  4. As of FortiOS 5.4.0, the Managed FortiSwitch GUI option can only be accessed by enabling it through the CLI console.

Open the CLI console and enter the following command to make the switch controller available in the GUI, and to set the reserved subnetwork for the controller:

config system global

set switch-controller enable

set switch-controller-reserved-network 169.254.254.0 255.255.255.0

end

  1. Go to WiFI & Switch Controller > Managed FortiSwitch . The new FortiSwitch should now be displayed in the table.
  2. Right-click on the FortiSwitch and select Authorize .
Using the FortiGate CLI:

Note that, for the example shown below, the FortiGate’s port1 is configured as the FortiLink port.

  1. If required, remove port1 from the lan interface:

config system virtual-switch

edit lan

config port

delete port1

end

end

end

  1. Configure the interface for port1:

config system interface

edit port1

set ip 172.20.120.10 255.255.255.0

set allowaccess capwap

set vlanforward enable

end

end

  1. Configure an NTP server on port1:

config system ntp

set server-mode enable

set interface port1

end

  1. Authorize the FortiSwitch unit as a managed switch (note that that FortiSwitch will reboot once you issue the command below):

config switch-controller managed-switch

edit FS224D3W14000370

set fsw-wan1-admin enable

end

end

  1. Configure a DHCP server on port1:

config system dhcp server

edit 0

set netmask 255.255.255.252

set interface port1

config ip-range

edit 0

set start-ip 169.254.254.2

set end-ip 169.254.254.50

end

set vci-match enable

set vci-string FortiSwitch

set ntp-service local

end

end

Set the FortiSwitch to Remote Management mode

Use the FortiSwitch GUI or the CLI to set the remote management mode.

Note that the following steps are not necessary for FortiSwitchOS releases 3.3.0 or later.

Using the FortiSwitch GUI:
  1. Go to System > Dashboard > Status and locate the System Information widget.
  2. Beside Operation Mode , select Change .
  3. Change Management Mode to FortiGate Remote Management and select OK .
  4. A warning will appear asking if you wish to continue. Select OK .
Using the FortiSwitch CLI:

config system global

set switch-mgmt-mode fortilink

end

Configuring the FortiSwitch Remote Management port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

To do this, from the FortiSwitch CLI, enter the following command:

config router static

edit 1

set device mgmt

set gateway <router_IP_address>

set dst <router_subnet> <subnet_mask>

end

end

Configuring FortiLink LAG

Starting with FortiOS 5.4.0 and FortiSwitchOS 3.3.0, you can configure the Fortilink as a Link Aggregation Group (LAG) to provide increased bandwidth between the FortiGate and FortiSwitch.

Connect any two ports on the FortiGate to two ports on the FortiSwitch. Make sure that you use the designated Fortilink port as one of the ports on the switch.

To configure the Fortilink as a LAG on the FortiGate, create a trunk (of type fortilink) with the two ports that you connected to the switch:

config system interface

edit “fortilink”

set vdom root

set allowaccess ping capwap http https

set type fortilink

set member port4 port5

set snmp-index 17

set lacp-mode static

next

end

config system ntp

set ntpsync enable

set syncinterval 60

set server-mode enable

set interface “fortilink”

end

There is no specific configuration required for the LAG on the switch.

Supported FortiSwitch models

The following table shows the FortiSwitch models that support FortiLink mode when paired with the corresponding FortiGate models and the listed minimum software releases.

FortiSwitch FortiGate Earliest FortiSwitchOS Earlist FortiOS
FS-224D-POE FGT-90D (Wifi/POE) 3.0.0 5.2.2
FS-108D-POE FGT-60D (all) 3.0.1 5.2.3
FSR-112D-POE FGR-90D 3.0.1 5.2.3
FS-124D FGT-90D + FGT-60D 3.0.1 5.2.3
FS-124D-POE FGT-90D + FGT-60D 3.0.1 5.2.3
FS-224D-FPOE FGT-90D + FGT-60D 3.0.1 5.2.3

Note that all FortiSwitches above also support FortiLink mode when paired with the following FortiGate models: 100D, 140D (POE, T1), 200D, 240D, 280D (POE), 600C, 800C, and 1000C.

FortiLink ports for each FortiSwitch model

Each FortiSwitch model provides one designated port for the FortiLink connection. The table below lists the FortiLink port for each model:

FortiSwitch model Port for FortiLink connection
FS-28C WAN port 1
FS-324B-POE Management Port
FS-448B (10G only) WAN port (uplink 1)
FS-348B Last port (port 48)
For all D-series switches, use the last (highest number) port for FortiLink. For example:
FS-108D-POE Last port (port 10)
FSR-112D-POE Last port (port 12)
FS-124D Last port (port 26). May require an SFP module. *****
FS-224D-POE Last port (port 24)
FS-224D-FPOE Last port (port 28). May require an SFP module. *****

***** FortiSwitch 3.3.1 and later releases support the use of an RJ-45 port for FortiLink. Please contact Fortinet Customer Service & Support for additional information.

FortiLink ports for each FortiGate model

The following table shows the ports for each model of FortiGate that can be FortiLink-dedicated.

FortiGate model Port for FortiLink connection
FGT-90D, FGT-90D-POE,
FWF-90D, FWF-90D-POE port1 - port14
FGT-60D, FGT-60D-POE,
FWF-60D, FWF-60D-POE port1 - port7
FGT-100D port1 - port16
FGT-140D , 140D-POE,
140D-POE-T1 port1 - port36
FGT-200D port1 - port16
FGT-240D port1 - port40
FGT-280D, FGT-280D-POE port1 - port84
FGT-600C port3 - port22
FGT-800C port3 - port24
FGT-1000C port3 - port14, port23, port24

Auto-discovery of the FortiSwitch ports

In releases FortiSwitchOS 3.3.0 and beyond, the D-series FortiSwitch models support FortiLink auto-discovery, which is automatic detection of the port connected to the FortiGate.

You can use any of the switch ports for FortiLink. Use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:

config switch interface

edit

set auto-discovery-fortilink enable

end

Note that some FortiSwitch ports are enabled for auto-discovery by default.

Each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery by default. If you connect the FortiLink using one of these ports, no switch configuration is required.

In general (in FortiSwitchOS 3.4.0 and later releases), the last four ports are the default auto-discovery FortiLink ports. The table below lists the default auto-discovery ports for each switch model:

FortiSwitch model Default Auto-FortiLink ports
FS-108D ports 9 and 10
FSR-112D ports 9, 10, 11, and 12
FS-124D, FS-124D-POE ports 23, 24, 25, and 26
FS-224D-POE ports 21, 22, 23, and 24
FS-224D-FPOE ports 25, 26, 27, and 28
FS-248D-POE ports 49, 50, 51, and 52
FS-248D-FPOE ports 49, 50, 51, and 52
FS-424D, FS-424D-POE, FS-424D-FPOE ports 25 and 26
FS-448D, FS-448D-POE, FS-448D-FPOE ports 49, 50, 51, and 52
FS-524D, FS-524D-FPOE ports 25, 26, 27, 28, 29, and 30
FS-548D, FS-548D-FPOE ports 49, 50, 51, 52, 53, and 54
FS-1024D, FS-1048D, FS-3032D all ports

You can also run the show switch interface CLI command on the FortiSwitch to see the ports that have auto-discovery enabled.


Curated by: https://www.ParagonHost.net

Est. 1999 | Paragon Host Internet Group | Web, Email, Workspace | Global Hosting Services