Fortinet black logo

Administration Guide

Leveraging LLDP to simplify Security Fabric negotiation

Leveraging LLDP to simplify Security Fabric negotiation

LLDP reception is enabled on WAN interfaces, which prompts FortiGates that are joining the Security Fabric if the upstream FortiGate asks.

  • If the interface role is undefined, LLDP reception and transmission inherit settings from the VDOM.
  • If the interface role is WAN, LLDP reception is enabled.
  • If the interface role is LAN, LLDP transmission is enabled.

When a FortiGate B's WAN interface detects that FortiGate A's LAN interface is immediately upstream (through the default gateway), and FortiGate A has Security Fabric enabled, FortiGate B will show a notification on the GUI asking to join the Security Fabric.

To configure LLDP reception and join a Security Fabric in the GUI:
  1. On FortiGate A, go to Network > Interfaces.
  2. Configure an interface:
    • If the interface's role is undefined, under Administrative Access, set Receive LLDP and Transmit LLDP to Use VDOM Setting.

    • If the interface's role is WAN, under Administrative Access, set Receive LLDP to Enable and Transmit LLDP to Use VDOM Setting.

    • If the interface's role is LAN, under Administrative Access, set Receive LLDP to Use VDOM Setting and Transmit LLDP to Enable.

  3. Click OK. A notification is shown on FortiGate B, You can connect to a Security Fabric via an upstream FortiGate at 10.2.200.1.

  4. Click the notification. The Core Network Security page with the Security Fabric settings opens. All the required settings automatically configured.
  5. Click OK to apply the settings.
To configure LLDP reception and join a Security Fabric in the CLI:
  1. Configure the interface on FortiGate A:
    • Undefined role
      config system interface
          edit "port3"
              set lldp-reception vdom
              set lldp-transmission vdom
              set role undefined
              ...
          next
      end
    • WAN role
      config system interface
          edit "wan1"
              set lldp-reception enable
              set lldp-transmission vdom
              set role wan
              ...
          next
      end
    • LAN role
      config system interface
          edit "port2"
              set lldp-reception vdom
              set lldp-transmission enable
              set role lan
              ...
          next
      end
  2. Edit the Security Fabric settings on FortiGate B:
    config system csf
        set status enable
        set upstream-ip 10.2.200.1
    end

Leveraging LLDP to simplify Security Fabric negotiation

LLDP reception is enabled on WAN interfaces, which prompts FortiGates that are joining the Security Fabric if the upstream FortiGate asks.

  • If the interface role is undefined, LLDP reception and transmission inherit settings from the VDOM.
  • If the interface role is WAN, LLDP reception is enabled.
  • If the interface role is LAN, LLDP transmission is enabled.

When a FortiGate B's WAN interface detects that FortiGate A's LAN interface is immediately upstream (through the default gateway), and FortiGate A has Security Fabric enabled, FortiGate B will show a notification on the GUI asking to join the Security Fabric.

To configure LLDP reception and join a Security Fabric in the GUI:
  1. On FortiGate A, go to Network > Interfaces.
  2. Configure an interface:
    • If the interface's role is undefined, under Administrative Access, set Receive LLDP and Transmit LLDP to Use VDOM Setting.

    • If the interface's role is WAN, under Administrative Access, set Receive LLDP to Enable and Transmit LLDP to Use VDOM Setting.

    • If the interface's role is LAN, under Administrative Access, set Receive LLDP to Use VDOM Setting and Transmit LLDP to Enable.

  3. Click OK. A notification is shown on FortiGate B, You can connect to a Security Fabric via an upstream FortiGate at 10.2.200.1.

  4. Click the notification. The Core Network Security page with the Security Fabric settings opens. All the required settings automatically configured.
  5. Click OK to apply the settings.
To configure LLDP reception and join a Security Fabric in the CLI:
  1. Configure the interface on FortiGate A:
    • Undefined role
      config system interface
          edit "port3"
              set lldp-reception vdom
              set lldp-transmission vdom
              set role undefined
              ...
          next
      end
    • WAN role
      config system interface
          edit "wan1"
              set lldp-reception enable
              set lldp-transmission vdom
              set role wan
              ...
          next
      end
    • LAN role
      config system interface
          edit "port2"
              set lldp-reception vdom
              set lldp-transmission enable
              set role lan
              ...
          next
      end
  2. Edit the Security Fabric settings on FortiGate B:
    config system csf
        set status enable
        set upstream-ip 10.2.200.1
    end