Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Using the FortiGate GUI

This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.

You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

Summary of the procedure

  1. On the FortiGate unit, configure the FortiLink interface.
  2. Authorize the managed FortiSwitch unit manually if you did not select Automatically authorize devices.

Configure the FortiLink interface

To configure the FortiLink interface on the FortiGate unit:

  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Enter a name for the interface (11 characters maximum).
  3. Select + in the Interface members field and then select the ports to add to the FortiLink interface. You can create a LAG type or software/hardware switch type of FortiLink interface; these types are more scalable than a physical interface.
    NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, right-click the FortiLink physical port, select Edit, delete the port from the Interface Members field, and then select OK.
  4. Configure the IP/Network Mask for your network.
  5. Select Automatically authorize devices.
  6. Select Apply.

FortiLink split interface

You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).

The FortiLink split interface is enabled by default. You can configure this feature with the FortiGate GUI and CLI.

Using the FortiGate GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the FortiLink split interface slider
Using the FortiGate CLI:

config system interface

edit <name of the FortiLink interface>

set fortilink-split-interface {enable | disable}

end

Authorizing the FortiSwitch unit

If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

Adding preauthorized FortiSwitch units

After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click Create New.
  3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
  4. Move the Authorized slider to the right.
  5. Select OK. The Managed FortiSwitch page lists the preauthorized switch.

Managed FortiSwitch display

Go to WiFi & Switch Controller > Managed FortiSwitch to see all of the switches being managed by your FortiGate. Select Topology from the drop-down menu in the upper right corner to see which devices are connected.

When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on the FortiSwitch faceplate), and the link between the ports is a solid line.

If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still edit the FortiSwitch unit though and find more information about the status of the switch. The link to the FortiSwitch unit might be down for a number of reasons; for example, a problem with the cable linking the two devices, firmware versions being out of synch, and so on. You need to make sure the firmware running on the FortiSwitch unit is compatible with the firmware running on the FortiGate unit.

From the Managed FortiSwitch page, you can edit any of the managed FortiSwitch units, remove a FortiSwitch unit from the configuration, refresh the display, connect to the CLI of a FortiSwitch unit, or deauthorize a FortiSwitch unit.

Edit a managed FortiSwitch unit

To edit a managed FortiSwitch unit:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on the FortiSwitch unit and then click Edit or right-click on a FortiSwitch unit and select Edit.

From the Edit Managed FortiSwitch form, you can:

  • Change the Name and Description of the FortiSwitch unit.
  • View the Status of the FortiSwitch unit.
  • Restart the FortiSwitch.
  • Authorize or deauthorize the FortiSwitch unit.
  • Update the firmware running on the switch.
  • Override 802.1x settings, including the reauthentication interval, maximum reauthentication attempts, and link-down action

Network interface display

On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch unit. The GUI indicates Dedicated to FortiSwitch in the IP/Netmask field.

Diagnostics and tools

The Diagnostics and Tools form reports the general health of the FortiSwitch unit, displays details about the FortiSwitch unit, and allows you to run diagnostic tests.

To view the Diagnostics and Tools form:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on the FortiSwitch unit and then click Diagnostics and Tools.

From the Diagnostics and Tools form, you can do the following:

  • Authorize or deauthorize the FortiSwitch.
  • Upgrade the firmware running on the switch.
  • Restart the FortiSwitch unit.
  • Connect to CLI to run CLI commands.
  • Show in List to return to the WiFi & Switch Controller > Managed FortiSwitch page.
  • Go to the Edit Managed FortiSwitch form.
  • Start or stop the LED Blink to identify a specific FortiSwitch unit.
  • Display a list of FortiSwitch ports and trunks and configuration details.
  • Run a Cable Test on a selected port.

You can also access the Diagnostics and Tools form from the Security Fabric > Physical Topology page.

Run LED Blink

When you have multiple FortiSwitch units and need to locate a specific switch, you can flash all port LEDs on and off for a specified number of minutes.

To identify a specific FortiSwitch unit:
  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on the FortiSwitch unit and then click Diagnostics and Tools.
  3. Select LED Blink > Start and then select 5 minutes, 15 minutes, 30 minutes, or 60 minutes.
  4. After you locate the FortiSwitch unit, select LED Blink > Stop.

NOTE: For the 5xx switches, LED Blink flashes only the SFP port LEDs, instead of all the port LEDs.

Run Cable Test

NOTE: Running cable diagnostics on a port that has the link up interrupts the traffic for several seconds.

You can check the state of cables connected to a specific port. The following pair states are supported:

  • Open
  • Short
  • Ok
  • Open_Short
  • Unknown
  • Crosstalk

If no cable is connected to the specific port, the state is Open, and the cable length is 0 meters.

Using the GUI:
  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on the FortiSwitch unit and then click Diagnostics and Tools.
  3. Select Cable Test.
  4. Select a port.
  5. Select Diagnose.

NOTE: There are some limitations for cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:

  • Crosstalk cannot be detected.
  • There is a 5-second delay before results are displayed.
  • The value for the cable length is inaccurate.
  • The results are inaccurate for open and short cables.

Add link aggregation groups (trunks)

To create a link aggregation group for FortiSwitch user ports:

  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Click Create New > Trunk.
  3. In the New Trunk Group page, enter a Name for the trunk group.
  4. Select two or more physical ports to add to the trunk group and then select Apply.
  5. Select the Mode: Static, Passive LACP, or Active LACP.
  6. Select Enabled or Disabled for the MC-LAG.
  7. Select OK.

Configure DHCP blocking, STP, and loop guard on managed FortiSwitch ports

Go to WiFi & Switch Controller > FortiSwitch Ports. Right-click any port and then enable or disable the following features:

  • DHCP Snooping—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
  • Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network topology.
  • Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP.
  • STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.
  • STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

STP and IGMP snooping are enabled on all ports by default. Loop guard is disabled by default on all ports.

Using the FortiGate GUI

This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.

You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

Summary of the procedure

  1. On the FortiGate unit, configure the FortiLink interface.
  2. Authorize the managed FortiSwitch unit manually if you did not select Automatically authorize devices.

Configure the FortiLink interface

To configure the FortiLink interface on the FortiGate unit:

  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Enter a name for the interface (11 characters maximum).
  3. Select + in the Interface members field and then select the ports to add to the FortiLink interface. You can create a LAG type or software/hardware switch type of FortiLink interface; these types are more scalable than a physical interface.
    NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, right-click the FortiLink physical port, select Edit, delete the port from the Interface Members field, and then select OK.
  4. Configure the IP/Network Mask for your network.
  5. Select Automatically authorize devices.
  6. Select Apply.

FortiLink split interface

You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).

The FortiLink split interface is enabled by default. You can configure this feature with the FortiGate GUI and CLI.

Using the FortiGate GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the FortiLink split interface slider
Using the FortiGate CLI:

config system interface

edit <name of the FortiLink interface>

set fortilink-split-interface {enable | disable}

end

Authorizing the FortiSwitch unit

If you configured the FortiLink interface to manually authorize the FortiSwitch unit as a managed switch, perform the following steps:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Optionally, click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

Adding preauthorized FortiSwitch units

After you preauthorize a FortiSwitch unit, you can assign the FortiSwitch ports to a VLAN.

To preauthorize a FortiSwitch:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click Create New.
  3. In the New Managed FortiSwitch page, enter the serial number, model name, and description of the FortiSwitch.
  4. Move the Authorized slider to the right.
  5. Select OK. The Managed FortiSwitch page lists the preauthorized switch.

Managed FortiSwitch display

Go to WiFi & Switch Controller > Managed FortiSwitch to see all of the switches being managed by your FortiGate. Select Topology from the drop-down menu in the upper right corner to see which devices are connected.

When the FortiLink is established successfully, the status is green (next to the FortiGate interface name and on the FortiSwitch faceplate), and the link between the ports is a solid line.

If the link has gone down for some reason, the line will be dashed, and a broken link icon will appear. You can still edit the FortiSwitch unit though and find more information about the status of the switch. The link to the FortiSwitch unit might be down for a number of reasons; for example, a problem with the cable linking the two devices, firmware versions being out of synch, and so on. You need to make sure the firmware running on the FortiSwitch unit is compatible with the firmware running on the FortiGate unit.

From the Managed FortiSwitch page, you can edit any of the managed FortiSwitch units, remove a FortiSwitch unit from the configuration, refresh the display, connect to the CLI of a FortiSwitch unit, or deauthorize a FortiSwitch unit.

Edit a managed FortiSwitch unit

To edit a managed FortiSwitch unit:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on the FortiSwitch unit and then click Edit or right-click on a FortiSwitch unit and select Edit.

From the Edit Managed FortiSwitch form, you can:

  • Change the Name and Description of the FortiSwitch unit.
  • View the Status of the FortiSwitch unit.
  • Restart the FortiSwitch.
  • Authorize or deauthorize the FortiSwitch unit.
  • Update the firmware running on the switch.
  • Override 802.1x settings, including the reauthentication interval, maximum reauthentication attempts, and link-down action

Network interface display

On the Network > Interfaces page, you can see the FortiGate interface connected to the FortiSwitch unit. The GUI indicates Dedicated to FortiSwitch in the IP/Netmask field.

Diagnostics and tools

The Diagnostics and Tools form reports the general health of the FortiSwitch unit, displays details about the FortiSwitch unit, and allows you to run diagnostic tests.

To view the Diagnostics and Tools form:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on the FortiSwitch unit and then click Diagnostics and Tools.

From the Diagnostics and Tools form, you can do the following:

  • Authorize or deauthorize the FortiSwitch.
  • Upgrade the firmware running on the switch.
  • Restart the FortiSwitch unit.
  • Connect to CLI to run CLI commands.
  • Show in List to return to the WiFi & Switch Controller > Managed FortiSwitch page.
  • Go to the Edit Managed FortiSwitch form.
  • Start or stop the LED Blink to identify a specific FortiSwitch unit.
  • Display a list of FortiSwitch ports and trunks and configuration details.
  • Run a Cable Test on a selected port.

You can also access the Diagnostics and Tools form from the Security Fabric > Physical Topology page.

Run LED Blink

When you have multiple FortiSwitch units and need to locate a specific switch, you can flash all port LEDs on and off for a specified number of minutes.

To identify a specific FortiSwitch unit:
  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on the FortiSwitch unit and then click Diagnostics and Tools.
  3. Select LED Blink > Start and then select 5 minutes, 15 minutes, 30 minutes, or 60 minutes.
  4. After you locate the FortiSwitch unit, select LED Blink > Stop.

NOTE: For the 5xx switches, LED Blink flashes only the SFP port LEDs, instead of all the port LEDs.

Run Cable Test

NOTE: Running cable diagnostics on a port that has the link up interrupts the traffic for several seconds.

You can check the state of cables connected to a specific port. The following pair states are supported:

  • Open
  • Short
  • Ok
  • Open_Short
  • Unknown
  • Crosstalk

If no cable is connected to the specific port, the state is Open, and the cable length is 0 meters.

Using the GUI:
  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on the FortiSwitch unit and then click Diagnostics and Tools.
  3. Select Cable Test.
  4. Select a port.
  5. Select Diagnose.

NOTE: There are some limitations for cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:

  • Crosstalk cannot be detected.
  • There is a 5-second delay before results are displayed.
  • The value for the cable length is inaccurate.
  • The results are inaccurate for open and short cables.

Add link aggregation groups (trunks)

To create a link aggregation group for FortiSwitch user ports:

  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Click Create New > Trunk.
  3. In the New Trunk Group page, enter a Name for the trunk group.
  4. Select two or more physical ports to add to the trunk group and then select Apply.
  5. Select the Mode: Static, Passive LACP, or Active LACP.
  6. Select Enabled or Disabled for the MC-LAG.
  7. Select OK.

Configure DHCP blocking, STP, and loop guard on managed FortiSwitch ports

Go to WiFi & Switch Controller > FortiSwitch Ports. Right-click any port and then enable or disable the following features:

  • DHCP Snooping—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
  • Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network topology.
  • Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP.
  • STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.
  • STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.

STP and IGMP snooping are enabled on all ports by default. Loop guard is disabled by default on all ports.