FortiLink secure fabric

The FortiLink secure fabric provides authentication and encryption to all fabric links, wherever possible, making your Security Fabric more secure.

By default, authentication and encryption are disabled on the Security Fabric. After you specify the authentication mode and encryption mode for the FortiLink secure fabric in the LLDP profile:

1. FortiOS authenticates the connected LLDP neighbors.

2. FortiOS forms an authenticated secure inter-switch link (ISL) trunk.

3. Ports that are members of the authenticated secure ISL trunk are encrypted with Media Access Control security (MACsec) (IEEE 802.1AE-2018).

4. After the peer authentication (and MACsec encryption, if enabled) is complete, FortiOS configures the user VLANs.

5. If FortiOS detects a new FortiSwitch unit in the Security Fabric, one of the FortiSwitch peers validates whether the new switch has a Fortinet factory SSL certificate chain. If the new FortiSwitch unit has a valid certificate, it becomes a FortiSwitch peer in the FortiLink secure fabric.

When set static-isl is enabled, authentication and encryption are not supported. When you are using the FortiLink secure fabric, locking down the Security Fabric topology from the Security Fabric > Security Rating page is not supported. When you are using the FortiLink secure fabric, the diagnose switch-controller switch-recommendation fabric-lockdown-enable command is not supported.

The following figure shows the FortiLink secure fabric. The links between the FortiGate device and the managed FortiSwitch units are always unencrypted. The green links between FortiSwitch peers are encrypted ISLs. The orange links between FortiSwitch peers are unencrypted ISLs.

Authentication modes

By default, there is no authentication. You can select one of three authentication modes:

• Legacy—This mode is the default. There is no authentication.

• Relax—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, FortiOS forms a restricted ISL trunk.

  A restricted ISL trunk is the same as a regular ISL trunk, but FortiOS does not add any user VLANs. The restricted ISL trunk allows limited access so that users can authenticate unauthenticated switches. Use a restricted ISL trunk for a new FortiSwitch unit that was just added to the Security Fabric or a FortiSwitch unit that does not support authentication or encryption.

• Strict—If authentication succeeds, FortiOS forms a secure ISL trunk. If authentication fails, no ISL trunk is formed.

Encryption modes

By default, there is no encryption. You must select the strict or relax authentication mode before you can select the mixed or must encryption mode.

• None—There is no encryption, and FortiOS does not enable MACsec on the ISL trunk members.

• Mixed—FortiOS enables MACsec on the ISL trunk ports that support MACsec; the ISL trunk members act as encrypted links. FortiOS disables MACsec on the ISL members that do not support MACsec; these ISL trunk members act as unencrypted links.

• Must—FortiOS enables MACsec on all ISL trunk members. If the port supports MACsec, the port acts as an encrypted link. If the port does not support MACsec, the port is removed from the ISL trunk, but the port still functions as a user port.

Configuring the FortiLink secure fabric

To configure the FortiLink secure fabric:

1. Configure the LLDP profile.

2. Assign the LLDP profile to a FortiSwitch physical port.

To configure the LLDP profile:

config switch-controller lldp-profile

edit {LLDP_profile_name | default-auto-isl | default-auto-mclag-icl}

set auto-isl-auth {legacy | relax | strict}

set auto-isl-auth-user <string>

set auto-isl-auth-identity <string>

set auto-isl-auth-reauth <10-3600>

set auto-isl-auth-encrypt {none | mixed | must}

set auto-isl-auth-macsec-profile default-macsec-auto-isl

next

end

Option	Description	Default
{LLDP_profile_name | default-auto-isl | default-auto-mclag-icl}	Select one of the two default LLDP profiles (default-auto-isl or default-auto-mclag-icl) or create your own LLDP profile.	No default
auto-isl-auth {legacy | relax | strict}	Select the authentication mode.	legacy
auto-isl-auth-user <string>	Select the user certificate, such as Fortinet_Factory. This option is available when auto-isl-auth is set to relax or strict.	No default
auto-isl-auth-identity <string>	Enter the identity, such as fortilink. This option is available when auto-isl-auth is set to relax or strict.	No default
auto-isl-auth-reauth <10-3600>	Enter the reauthentication period in minutes. This option is available when auto-isl-auth is set to relax or strict.	3600
auto-isl-auth-encrypt {none | mixed | must}	Select the encryption mode. This option is available when auto-isl-auth is set to strict or relax.	none
auto-isl-auth-macsec-profile <string>	Use the default-macsec-auto-isl profile. This option is available when auto-isl-auth-encrypt is set to mixed or must.	default-macsec-auto-isl

Configuration example

config switch-controller lldp-profile

edit customLLDPprofile

set auto-isl-auth relax

set auto-isl-auth-user Fortinet_Factory

set auto-isl-auth-identity fortilink

set auto-isl-auth-encrypt mixed

set auto-isl-auth-macsec-profile default-macsec-auto-isl

next

end

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port49

set lldp-profile customLLDPprofile

next

end

next

end

Viewing the FortiLink secure fabric

To get information from the FortiGate device about which FortiSwitch units ports are authenticated, secured, or restricted:

execute switch-controller get-physical-conn {dot | standard} <FortiLink_interface>

To get the FortiLink authentication status for the port from the FortiSwitch unit:

diagnose switch fortilink-auth status <port_name>

To get the FortiLink authentication traffic statistics for the port from the FortiSwitch unit:

diagnose switch fortilink-auth statistics <port_name>

To delete the FortiLink authentication traffic statistics for the port from the FortiSwitch unit:

execute fortilink-auth clearstat physical-port <port_name>

To reauthenticate FortiLink secure fabric peers from the specified port from the FortiSwitch unit:

execute fortilink-auth reauth physical-port <port_name>

To reset the authentication for the FortiLink secure fabric from the FortiSwitch unit on the specified port:

execute fortilink-auth reset physical-port <port_name>

To display statistics and status of the FortiLink secure fabric for the port from the FortiSwitch unit:

get switch lldp auto-isl-status <port_name>

To display the status of the FortiLink secure fabric for the trunk from the FortiSwitch unit:

get switch trunk

Requirements and limitations

• FortiOS 7.4.1 or later and FortiSwitchOS 7.4.1 or later are required.

• FortiLink mode over a layer-2 network and FortiLink mode over a layer-3 network are supported.

• VXLAN is not supported.

• When a new FortiSwitch unit is added to the fabric, it must have a Fortinet factory SSL certificate before it is allowed to become an authenticated peer within the FortiLink secure fabric.

• When a new FortiSwitch unit is added to the FortiLink secure fabric with the strict authentication mode, the restricted ISL trunk is not formed. You must configure the FortiSwitch unit manually (under the config switch lldp-profile command).

• You need to manually import a custom certificate on the managed FortiSwitch units first; then you can specify the custom certificate on the FortiLink secure fabric with the set auto-isl-auth-user command under config switch-controller lldp-profile. After that, you can configure the custom certificate on the running Security Fabric.