Fortinet white logo
Fortinet white logo

FortiLink Guide

Configuring FortiLink

Configuring FortiLink

Tooltip

You need to physically connect the FortiSwitch unit to the FortiGate unit only after completing this section. Some settings are only possible when the FortiGate unit has not authorized any switches.

To configure FortiLink:

1. Enabling the switch controller on the FortiGate unit

2. Configuring the FortiLink interface

3. Auto-discovery of the FortiSwitch ports

1. Enabling the switch controller on the FortiGate unit

Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the FortiGate unit with the FortiGate GUI or CLI to enable the switch controller. Depending on the FortiGate model and software release, this feature might be enabled by default.

Using the FortiGate GUI
  1. Go to System > Feature Visibility.
  2. Turn on the Switch Controller feature, which is in the Core Features list.
  3. Select Apply.

The menu option WiFi & Switch Controller now appears.

Using the FortiGate CLI

Use the following commands to enable the switch controller:

config system global

set switch-controller enable

end

2. Configuring the FortiLink interface

The FortiLink interface is created automatically as an aggregate interface type; if the FortiGate model does not support the aggregate interface type, the FortiLink interface is created automatically as a hardware switch. Fortinet recommends keeping the default type of the FortiLink; however, if a physical interface or soft-switch interface type is required, the interface must be enabled for FortiLink using the FortiOS CLI, and then the default FortiLink interface can be deleted.

The FortiLink interface type is dependent on the network topology to be deployed. See Determining the network topology.

Using the FortiGate GUI

This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.

You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

Configure the FortiLink interface

To configure the FortiLink interface on the FortiGate unit:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Select + in the Interface members field and then select the ports to add to the FortiLink interface.
    NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, right-click the FortiLink physical port, select Edit, delete the port from the Interface Members field, and then select OK.
  3. Configure the IP/Network Mask for your network.
  4. Select Automatically authorize devices.
  5. Select Apply.

FortiLink split interface

You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).

The FortiLink split interface is enabled by default. You can configure this feature with the FortiGate GUI and CLI.

NOTE: The FortiLink split interface must be enabled before MCLAG is enabled on the FortiSwitch unit. After MCLAG is enabled, you can disable the FortiLink split interface to make both links active. See MCLAG peer groups.

Using the FortiGate GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the FortiLink split interface slider.
Using the FortiGate CLI:

config system interface

edit <name of the FortiLink interface>

set fortilink-split-interface {enable | disable}

end

Using the FortiGate CLI

This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

You can also configure FortiLink mode over a layer-3 network.

Summary of the procedure

  1. On the FortiGate unit, configure the FortiLink interface.
  2. Authorize the managed FortiSwitch unit manually if you did not select Automatically authorize devices.

For example, if the IP address, members, and automatic FortiSwitch authorization are enabled:

config system interface

edit "fortilink"

set ip 172.16.16.254 255.255.255.0

set member "port9" "port10"

set auto-auth-extension-device enable

next

end

If required, remove a physical port from the lan interface:

config system virtual-switch

edit lan

config port

delete port1

end

end

end

2.1 Custom FortiLink interfaces

Choosing the FortiGate ports

The FortiLink can consist of a single (physical) or multiple ports (802.3ad aggregate, hardware switch, or software switch).

FortiLink is supported on all Ethernet ports except HA and MGMT.

If the default FortiLink interface was removed, on the FortiGate GUI, edit the interface and select Dedicated to FortiSwitch. Optionally, set the IP address and enable auto-authorization. Disable the split-interface if the interface is the aggregate type and is connecting all members to the same FortiSwitch unit.

NOTE: The FortiLink interface type is dependent upon the network topology to be deployed. See Determining the network topology.

Configure FortiLink on a physical port

Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.

In the following steps, port1 is configured as the FortiLink port.

  1. Configure port1 as the FortiLink interface with the customer IP address and automatic authorization:

    config system interface

    edit "port1"

    set fortilink enable

    set ip 172.16.16.254 255.255.255.0

    set auto-auth-extension-device enable

    next

    end

    If required, remove port1 from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port1

    end

    end

    end

  2. (Optional) Configure an NTP server on port1:

    config system ntp

    set server-mode enable

    set interface port1

    end

  3. If automatic authorization is disabled, you need to manually authorize the FortiSwitch unit as a managed switch:

    config switch-controller managed-switch

    edit FS224D3W14000370

    set fsw-wan1-admin enable

    end

    end

  4. The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.

Configure FortiLink on a logical interface

You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch.

LAG is supported on all FortiSwitch models. Check the FortiGate feature matrix to check which models support the hardware switch and LAG (802.3ad aggregate) interfaces.

In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

Using the GUI:

To configure the FortiLink interface on the FortiGate unit:

  1. Go to Network > Interfaces and click Create New.
  2. Enter a name for the interface (11 characters maximum).
  3. For the type, select 802.3ad aggregate.
  4. Select + in the Interface members field and then select the ports to add to the FortiLink interface.

    NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, edit the lan or internal interface, delete the port from the Interface Members field, and then click OK.

  5. Configure the IP/Network Mask for your network.
  6. Select Automatically authorize devices.
  7. Click Apply.

    If you want to add a third FortiLink interface, go to WiFi & Switch Controller > FortiLink Interface and click Create new.

Using the CLI:
  1. If required, remove the FortiLink ports from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port4

    delete port5

    end

    end

    end

  2. Create a trunk with the two ports that you connected to the switch:

    config system interface

    edit flink1 (enter a name with a maximum of 11 characters)

    set ip 172.16.16.254 255.255.255.0

    set type aggregate

    set member port4 port5

    set fortilink enable

    (optional) set fortilink-split-interface disable

    next

    end

  3. NOTE: If the members of the aggregate interface connect to the same FortiSwitch unit, you must disable fortilink-split-interface.

Configure a LAG on a FortiLink-enabled software switch

Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can configure a link-aggregation group (LAG) as a member of a software switch that is being used for FortiLink. Previously, you could not add a LAG to a software switch that was being used for FortiLink.

Note
  • You must set fortilink-neighbor-detect to lldp.

  • Aggregate interfaces do not automatically form an inter-switch link (ISL) within a FortiGate software switch. You must create the aggregate interfaces and add them to the software switch.

  • The FortiSwitch unit will automatically form an ISL with correctly configured FortiGate aggregate interfaces.

In the following example, aggregate1 and aggregate2 are FortiGate aggregate interfaces. The third interface, switch3, is a software switch with FortiLink enabled. The three interfaces are configured, and then aggregate1 and aggregate2 are added to the software switch interface.

config system interface

edit "aggregate1"

set vdom "root"

set type aggregate

set member "port11"

set device-identification enable

set role lan

set snmp-index 25

next

edit "aggregate2"

set vdom "root"

set type aggregate

set member "port7"

set device-identification enable

set role lan

set snmp-index 34

next

edit "switch3"

set vdom "root"

set fortilink enable

set ip 10.255.1.1 255.255.255.0

set allowaccess ping fabric

set type switch

set lldp-reception enable

set lldp-transmission enable

set snmp-index 26

set fortilink-neighbor-detect lldp

set swc-first-create 64

config ipv6

set ip6-send-adv enable

set ip6-other-flag enable

end

next

end

config system switch-interface

edit "switch3"

set vdom "root"

set member "aggregate1" "aggregate2"

next

end

3. Auto-discovery of the FortiSwitch ports

Note

Starting with FortiSwitch 7.2.0, all ports are enabled for auto-discovery by default.

NOTE: For details on how to connect the FortiSwitch topology, see Determining the network topology.

By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect the FortiLink using one of these ports, no switch configuration is required.

In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface command on the FortiSwitch unit to see the ports that have auto-discovery enabled.

The following table lists the default auto-discovery ports for each switch model.

FortiSwitch Model

Default Auto-FortiLink ports

FS-108D-POE

port9–port10

FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE

port7–port10

FSR-112D-POE

port5–port12

FS-124D, FS-124D-POE

port23–port26

FSR-124D

port1-port4, port21–port28

FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE

port21–port28

FS-148E, FS-148E-POE

port21–port52

FS-148F, FS-148F-POE, FS-148F-FPOE

port48–port52

FS-224D-POE

port21–port24

FS-224D-FPOE

port21–port28

FS-224E, FS-224E-POE port21–port28

FS-248D, FS-248D-FPOE

port45–port52

FS-248D-POE

port47–port50

FS-248E-POE, FS-248E-FPOE

port45–port52

FS-424D, FS-424D-POE, FS-424D-FPOE

port23–port26

FS-424E-Fiber

port1-port30

FS-426E-FPOE-MG

port23-port30

FS-448D, FS-448D-POE, FS-448D-FPOE

port45–port52

FS-524D, FS-524D-FPOE

port21–port30

FS-548D

port39–port54

FS-548D-FPOE, FS-548DN

port45–port54

FS-1024D

port1–port24

FS-1024E, FS-T1024E

port1–port26

FS-1048D, FS-1048E

port1–port52

FS-3032D, FS-3032E

port1–port32

NOTE: Any port can be used for FortiLink if it is manually configured.

You can use any of the switch ports for FortiLink. Before connecting the switch to the FortiGate unit, use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:

config switch interface

edit <port>

set auto-discovery-fortilink enable

end

Automatic inter-switch links (ISLs)

After a FortiSwitch unit is discovered and in FortiLink mode, all ports are enabled for FortiLink. Connect another FortiSwitch unit to any of the already discovered FortiSwitch ports, and the ISL is formed automatically, and the new unit is discovered by the FortiGate unit.

Static ISL trunks

In some cases, you might want to manually create an ISL trunk, for example, for FortiLink mode over a point-to-point layer-2 network or for FortiLink mode over a layer-3 network. You can also enable or disable automatic VLAN configuration on the manually created (static) ISL trunk. The static ISL feature can also be used to lock down the FortiLink topology after automatic discovery. Locking down the Security Fabric topology prevents the automatically created ISLs and ICLs from being accidentally deleted.

To manually create an ISL trunk in the CLI:

config switch trunk

edit "<trunk_name>"

set static-isl enable

set static-isl-auto-vlan {enable | disable}

end

Locking down the ISL trunk in the GUI (when there is a single FortiLink interface):
  1. Go to WiFi & Switch Controller > FortiLink Interface.

  2. Enable Lockdown ISL.

Locking down the ISL trunk in the GUI (when there are two or more FortiLink interfaces):
  1. Go to WiFi & Switch Controller > FortiLink Interface.

  2. Right-click the FortiLink interface in the Name column.

  3. Click Lockdown ISL.

Note

Locking down ISLs and ICLs is one of the recommendations in the Security Rating report (Security Fabric > Security Rating).

Deleting a FortiLink interface

If you have any problems with deleting a FortiLink interface, disable it first using the CLI:

config switch interface

edit <FortiLink_interface_name>

set fortilink disable

end

Configuring FortiLink

Configuring FortiLink

Tooltip

You need to physically connect the FortiSwitch unit to the FortiGate unit only after completing this section. Some settings are only possible when the FortiGate unit has not authorized any switches.

To configure FortiLink:

1. Enabling the switch controller on the FortiGate unit

2. Configuring the FortiLink interface

3. Auto-discovery of the FortiSwitch ports

1. Enabling the switch controller on the FortiGate unit

Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the FortiGate unit with the FortiGate GUI or CLI to enable the switch controller. Depending on the FortiGate model and software release, this feature might be enabled by default.

Using the FortiGate GUI
  1. Go to System > Feature Visibility.
  2. Turn on the Switch Controller feature, which is in the Core Features list.
  3. Select Apply.

The menu option WiFi & Switch Controller now appears.

Using the FortiGate CLI

Use the following commands to enable the switch controller:

config system global

set switch-controller enable

end

2. Configuring the FortiLink interface

The FortiLink interface is created automatically as an aggregate interface type; if the FortiGate model does not support the aggregate interface type, the FortiLink interface is created automatically as a hardware switch. Fortinet recommends keeping the default type of the FortiLink; however, if a physical interface or soft-switch interface type is required, the interface must be enabled for FortiLink using the FortiOS CLI, and then the default FortiLink interface can be deleted.

The FortiLink interface type is dependent on the network topology to be deployed. See Determining the network topology.

Using the FortiGate GUI

This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.

You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

Configure the FortiLink interface

To configure the FortiLink interface on the FortiGate unit:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Select + in the Interface members field and then select the ports to add to the FortiLink interface.
    NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, right-click the FortiLink physical port, select Edit, delete the port from the Interface Members field, and then select OK.
  3. Configure the IP/Network Mask for your network.
  4. Select Automatically authorize devices.
  5. Select Apply.

FortiLink split interface

You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).

The FortiLink split interface is enabled by default. You can configure this feature with the FortiGate GUI and CLI.

NOTE: The FortiLink split interface must be enabled before MCLAG is enabled on the FortiSwitch unit. After MCLAG is enabled, you can disable the FortiLink split interface to make both links active. See MCLAG peer groups.

Using the FortiGate GUI:
  1. Go to WiFi & Switch Controller > FortiLink Interface.
  2. Move the FortiLink split interface slider.
Using the FortiGate CLI:

config system interface

edit <name of the FortiLink interface>

set fortilink-split-interface {enable | disable}

end

Using the FortiGate CLI

This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

You can also configure FortiLink mode over a layer-3 network.

Summary of the procedure

  1. On the FortiGate unit, configure the FortiLink interface.
  2. Authorize the managed FortiSwitch unit manually if you did not select Automatically authorize devices.

For example, if the IP address, members, and automatic FortiSwitch authorization are enabled:

config system interface

edit "fortilink"

set ip 172.16.16.254 255.255.255.0

set member "port9" "port10"

set auto-auth-extension-device enable

next

end

If required, remove a physical port from the lan interface:

config system virtual-switch

edit lan

config port

delete port1

end

end

end

2.1 Custom FortiLink interfaces

Choosing the FortiGate ports

The FortiLink can consist of a single (physical) or multiple ports (802.3ad aggregate, hardware switch, or software switch).

FortiLink is supported on all Ethernet ports except HA and MGMT.

If the default FortiLink interface was removed, on the FortiGate GUI, edit the interface and select Dedicated to FortiSwitch. Optionally, set the IP address and enable auto-authorization. Disable the split-interface if the interface is the aggregate type and is connecting all members to the same FortiSwitch unit.

NOTE: The FortiLink interface type is dependent upon the network topology to be deployed. See Determining the network topology.

Configure FortiLink on a physical port

Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.

In the following steps, port1 is configured as the FortiLink port.

  1. Configure port1 as the FortiLink interface with the customer IP address and automatic authorization:

    config system interface

    edit "port1"

    set fortilink enable

    set ip 172.16.16.254 255.255.255.0

    set auto-auth-extension-device enable

    next

    end

    If required, remove port1 from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port1

    end

    end

    end

  2. (Optional) Configure an NTP server on port1:

    config system ntp

    set server-mode enable

    set interface port1

    end

  3. If automatic authorization is disabled, you need to manually authorize the FortiSwitch unit as a managed switch:

    config switch-controller managed-switch

    edit FS224D3W14000370

    set fsw-wan1-admin enable

    end

    end

  4. The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.

Configure FortiLink on a logical interface

You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch.

LAG is supported on all FortiSwitch models. Check the FortiGate feature matrix to check which models support the hardware switch and LAG (802.3ad aggregate) interfaces.

In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

Using the GUI:

To configure the FortiLink interface on the FortiGate unit:

  1. Go to Network > Interfaces and click Create New.
  2. Enter a name for the interface (11 characters maximum).
  3. For the type, select 802.3ad aggregate.
  4. Select + in the Interface members field and then select the ports to add to the FortiLink interface.

    NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, edit the lan or internal interface, delete the port from the Interface Members field, and then click OK.

  5. Configure the IP/Network Mask for your network.
  6. Select Automatically authorize devices.
  7. Click Apply.

    If you want to add a third FortiLink interface, go to WiFi & Switch Controller > FortiLink Interface and click Create new.

Using the CLI:
  1. If required, remove the FortiLink ports from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port4

    delete port5

    end

    end

    end

  2. Create a trunk with the two ports that you connected to the switch:

    config system interface

    edit flink1 (enter a name with a maximum of 11 characters)

    set ip 172.16.16.254 255.255.255.0

    set type aggregate

    set member port4 port5

    set fortilink enable

    (optional) set fortilink-split-interface disable

    next

    end

  3. NOTE: If the members of the aggregate interface connect to the same FortiSwitch unit, you must disable fortilink-split-interface.

Configure a LAG on a FortiLink-enabled software switch

Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can configure a link-aggregation group (LAG) as a member of a software switch that is being used for FortiLink. Previously, you could not add a LAG to a software switch that was being used for FortiLink.

Note
  • You must set fortilink-neighbor-detect to lldp.

  • Aggregate interfaces do not automatically form an inter-switch link (ISL) within a FortiGate software switch. You must create the aggregate interfaces and add them to the software switch.

  • The FortiSwitch unit will automatically form an ISL with correctly configured FortiGate aggregate interfaces.

In the following example, aggregate1 and aggregate2 are FortiGate aggregate interfaces. The third interface, switch3, is a software switch with FortiLink enabled. The three interfaces are configured, and then aggregate1 and aggregate2 are added to the software switch interface.

config system interface

edit "aggregate1"

set vdom "root"

set type aggregate

set member "port11"

set device-identification enable

set role lan

set snmp-index 25

next

edit "aggregate2"

set vdom "root"

set type aggregate

set member "port7"

set device-identification enable

set role lan

set snmp-index 34

next

edit "switch3"

set vdom "root"

set fortilink enable

set ip 10.255.1.1 255.255.255.0

set allowaccess ping fabric

set type switch

set lldp-reception enable

set lldp-transmission enable

set snmp-index 26

set fortilink-neighbor-detect lldp

set swc-first-create 64

config ipv6

set ip6-send-adv enable

set ip6-other-flag enable

end

next

end

config system switch-interface

edit "switch3"

set vdom "root"

set member "aggregate1" "aggregate2"

next

end

3. Auto-discovery of the FortiSwitch ports

Note

Starting with FortiSwitch 7.2.0, all ports are enabled for auto-discovery by default.

NOTE: For details on how to connect the FortiSwitch topology, see Determining the network topology.

By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect the FortiLink using one of these ports, no switch configuration is required.

In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface command on the FortiSwitch unit to see the ports that have auto-discovery enabled.

The following table lists the default auto-discovery ports for each switch model.

FortiSwitch Model

Default Auto-FortiLink ports

FS-108D-POE

port9–port10

FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE

port7–port10

FSR-112D-POE

port5–port12

FS-124D, FS-124D-POE

port23–port26

FSR-124D

port1-port4, port21–port28

FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE

port21–port28

FS-148E, FS-148E-POE

port21–port52

FS-148F, FS-148F-POE, FS-148F-FPOE

port48–port52

FS-224D-POE

port21–port24

FS-224D-FPOE

port21–port28

FS-224E, FS-224E-POE port21–port28

FS-248D, FS-248D-FPOE

port45–port52

FS-248D-POE

port47–port50

FS-248E-POE, FS-248E-FPOE

port45–port52

FS-424D, FS-424D-POE, FS-424D-FPOE

port23–port26

FS-424E-Fiber

port1-port30

FS-426E-FPOE-MG

port23-port30

FS-448D, FS-448D-POE, FS-448D-FPOE

port45–port52

FS-524D, FS-524D-FPOE

port21–port30

FS-548D

port39–port54

FS-548D-FPOE, FS-548DN

port45–port54

FS-1024D

port1–port24

FS-1024E, FS-T1024E

port1–port26

FS-1048D, FS-1048E

port1–port52

FS-3032D, FS-3032E

port1–port32

NOTE: Any port can be used for FortiLink if it is manually configured.

You can use any of the switch ports for FortiLink. Before connecting the switch to the FortiGate unit, use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:

config switch interface

edit <port>

set auto-discovery-fortilink enable

end

Automatic inter-switch links (ISLs)

After a FortiSwitch unit is discovered and in FortiLink mode, all ports are enabled for FortiLink. Connect another FortiSwitch unit to any of the already discovered FortiSwitch ports, and the ISL is formed automatically, and the new unit is discovered by the FortiGate unit.

Static ISL trunks

In some cases, you might want to manually create an ISL trunk, for example, for FortiLink mode over a point-to-point layer-2 network or for FortiLink mode over a layer-3 network. You can also enable or disable automatic VLAN configuration on the manually created (static) ISL trunk. The static ISL feature can also be used to lock down the FortiLink topology after automatic discovery. Locking down the Security Fabric topology prevents the automatically created ISLs and ICLs from being accidentally deleted.

To manually create an ISL trunk in the CLI:

config switch trunk

edit "<trunk_name>"

set static-isl enable

set static-isl-auto-vlan {enable | disable}

end

Locking down the ISL trunk in the GUI (when there is a single FortiLink interface):
  1. Go to WiFi & Switch Controller > FortiLink Interface.

  2. Enable Lockdown ISL.

Locking down the ISL trunk in the GUI (when there are two or more FortiLink interfaces):
  1. Go to WiFi & Switch Controller > FortiLink Interface.

  2. Right-click the FortiLink interface in the Name column.

  3. Click Lockdown ISL.

Note

Locking down ISLs and ICLs is one of the recommendations in the Security Rating report (Security Fabric > Security Rating).

Deleting a FortiLink interface

If you have any problems with deleting a FortiLink interface, disable it first using the CLI:

config switch interface

edit <FortiLink_interface_name>

set fortilink disable

end