Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiLink Guide

    Home FortiSwitch 7.4.5 FortiLink Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.6
    7.2.4
    7.2.1
    7.2.0

    Configuring FortiLink

    Configuring FortiLink

    Tooltip

    You need to physically connect the FortiSwitch unit to the FortiGate unit only after completing this section. Some settings are only possible when the FortiGate unit has not authorized any switches.
    To configure FortiLink:

    1. Enabling the switch controller on the FortiGate unit

    2. Configuring the FortiLink interface

    3. Auto-discovery of the FortiSwitch ports

    1. Enabling the switch controller on the FortiGate unit

    Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the FortiGate unit with the FortiGate GUI or CLI to enable the switch controller. Depending on the FortiGate model and software release, this feature might be enabled by default.

    Using the FortiGate GUI
    1. Go to System > Feature Visibility.
    2. Turn on the Switch Controller feature, which is in the Core Features list.
    3. Select Apply.

    The menu option WiFi & Switch Controller now appears.

    Using the FortiGate CLI

    Use the following commands to enable the switch controller:

    config system global

    set switch-controller enable

    end

    2. Configuring the FortiLink interface

    The FortiLink interface is created automatically as an aggregate interface type; if the FortiGate model does not support the aggregate interface type, the FortiLink interface is created automatically as a hardware switch. Fortinet recommends keeping the default type of the FortiLink; however, if a physical interface or soft-switch interface type is required, the interface must be enabled for FortiLink using the FortiOS CLI, and then the default FortiLink interface can be deleted.

    The FortiLink interface type is dependent on the network topology to be deployed. See Determining the network topology.

    Using the FortiGate GUI

    This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.

    You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error).

    If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

    Configure the FortiLink interface

    To configure the FortiLink interface on the FortiGate unit:
    1. Go to WiFi & Switch Controller > FortiLink Interface.
    2. Select + in the Interface members field and then select the ports to add to the FortiLink interface.
      NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, right-click the FortiLink physical port, select Edit, delete the port from the Interface Members field, and then select OK.
    3. Configure the IP/Network Mask for your network.
    4. Select Automatically authorize devices.
    5. Select Apply.

    FortiLink split interface

    You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

    The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).

    The FortiLink split interface is enabled by default. You can configure this feature with the FortiGate GUI and CLI.

    NOTE: The FortiLink split interface must be enabled before MCLAG is enabled on the FortiSwitch unit. After MCLAG is enabled, you can disable the FortiLink split interface to make both links active. See MCLAG peer groups.

    Using the FortiGate GUI:
    1. Go to WiFi & Switch Controller > FortiLink Interface.
    2. Move the FortiLink split interface slider.
    Using the FortiGate CLI:

    config system interface

    edit <name of the FortiLink interface>

    set fortilink-split-interface {enable | disable}

    end

    Using the FortiGate CLI

    This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).

    If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

    You can also configure FortiLink mode over a layer-3 network.

    Summary of the procedure

    1. On the FortiGate unit, configure the FortiLink interface.
    2. Authorize the managed FortiSwitch unit manually if you did not select Automatically authorize devices.

    For example, if the IP address, members, and automatic FortiSwitch authorization are enabled:

    config system interface

    edit "fortilink"

    set ip 172.16.16.254 255.255.255.0

    set member "port9" "port10"

    set auto-auth-extension-device enable

    next

    end

    If required, remove a physical port from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port1

    end

    end

    end

    2.1 Custom FortiLink interfaces

    Choosing the FortiGate ports

    The FortiLink can consist of a single (physical) or multiple ports (802.3ad aggregate, hardware switch, or software switch).

    FortiLink is supported on all Ethernet ports except HA and MGMT.

    If the default FortiLink interface was removed, on the FortiGate GUI, edit the interface and select Dedicated to FortiSwitch. Optionally, set the IP address and enable auto-authorization. Disable the split-interface if the interface is the aggregate type and is connecting all members to the same FortiSwitch unit.

    NOTE: The FortiLink interface type is dependent upon the network topology to be deployed. See Determining the network topology.

    Configure FortiLink on a physical port

    Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.

    In the following steps, port1 is configured as the FortiLink port.

    1. Configure port1 as the FortiLink interface with the customer IP address and automatic authorization:

      config system interface

      edit "port1"

      set fortilink enable

      set ip 172.16.16.254 255.255.255.0

      set auto-auth-extension-device enable

      next

      end

      If required, remove port1 from the lan interface:

      config system virtual-switch

      edit lan

      config port

      delete port1

      end

      end

      end

    2. (Optional) Configure an NTP server on port1:

      config system ntp

      set server-mode enable

      set interface port1

      end

    3. If automatic authorization is disabled, you need to manually authorize the FortiSwitch unit as a managed switch:

      config switch-controller managed-switch

      edit FS224D3W14000370

      set fsw-wan1-admin enable

      end

      end

    4. The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.

    Configure FortiLink on a logical interface

    You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch.

    LAG is supported on all FortiSwitch models. Check the FortiGate feature matrix to check which models support the hardware switch and LAG (802.3ad aggregate) interfaces.

    In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

    Using the GUI:

    To configure the FortiLink interface on the FortiGate unit:

    1. Go to Network > Interfaces and click Create New.
    2. Enter a name for the interface (11 characters maximum).
    3. For the type, select 802.3ad aggregate.
    4. Select + in the Interface members field and then select the ports to add to the FortiLink interface.

      NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, edit the lan or internal interface, delete the port from the Interface Members field, and then click OK.

    5. Configure the IP/Network Mask for your network.
    6. Select Automatically authorize devices.
    7. Click Apply.

      If you want to add a third FortiLink interface, go to WiFi & Switch Controller > FortiLink Interface and click Create new.

    Using the CLI:

    1. If required, remove the FortiLink ports from the lan interface:

      config system virtual-switch

      edit lan

      config port

      delete port4

      delete port5

      end

      end

      end

    2. Create a trunk with the two ports that you connected to the switch:

      config system interface

      edit flink1 (enter a name with a maximum of 11 characters)

      set ip 172.16.16.254 255.255.255.0

      set type aggregate

      set member port4 port5

      set fortilink enable

      (optional) set fortilink-split-interface disable

      next

      end

      3. NOTE: If the members of the aggregate interface connect to the same FortiSwitch unit, you must disable fortilink-split-interface.

    Configure a LAG on a FortiLink-enabled software switch

    Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can configure a link-aggregation group (LAG) as a member of a software switch that is being used for FortiLink. Previously, you could not add a LAG to a software switch that was being used for FortiLink.

    Note

    • You must set fortilink-neighbor-detect to lldp.

    • Aggregate interfaces do not automatically form an inter-switch link (ISL) within a FortiGate software switch. You must create the aggregate interfaces and add them to the software switch.

    • The FortiSwitch unit will automatically form an ISL with correctly configured FortiGate aggregate interfaces.

    In the following example, aggregate1 and aggregate2 are FortiGate aggregate interfaces. The third interface, switch3, is a software switch with FortiLink enabled. The three interfaces are configured, and then aggregate1 and aggregate2 are added to the software switch interface.

    config system interface

    edit "aggregate1"

    set vdom "root"

    set type aggregate

    set member "port11"

    set device-identification enable

    set role lan

    set snmp-index 25

    next

    edit "aggregate2"

    set vdom "root"

    set type aggregate

    set member "port7"

    set device-identification enable

    set role lan

    set snmp-index 34

    next

    edit "switch3"

    set vdom "root"

    set fortilink enable

    set ip 10.255.1.1 255.255.255.0

    set allowaccess ping fabric

    set type switch

    set lldp-reception enable

    set lldp-transmission enable

    set snmp-index 26

    set fortilink-neighbor-detect lldp

    set swc-first-create 64

    config ipv6

    set ip6-send-adv enable

    set ip6-other-flag enable

    end

    next

    end

    config system switch-interface

    edit "switch3"

    set vdom "root"

    set member "aggregate1" "aggregate2"

    next

    end

    3. Auto-discovery of the FortiSwitch ports

    Note

    Starting with FortiSwitch 7.2.0, all ports are enabled for auto-discovery by default.

    NOTE: For details on how to connect the FortiSwitch topology, see Determining the network topology.

    By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect the FortiLink using one of these ports, no switch configuration is required.

    In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface command on the FortiSwitch unit to see the ports that have auto-discovery enabled.

    The following table lists the default auto-discovery ports for each switch model.

    FortiSwitch Model

    Default Auto-FortiLink ports

    FS-108D-POE

    port9–port10

    FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE

    port7–port10

    FSR-112D-POE

    port5–port12

    FS-124D, FS-124D-POE

    port23–port26

    FSR-124D

    port1-port4, port21–port28

    FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE

    port21–port28

    FS-148E, FS-148E-POE

    port21–port52

    FS-148F, FS-148F-POE, FS-148F-FPOE

    port48–port52

    FS-224D-POE

    port21–port24

    FS-224D-FPOE

    port21–port28
    FS-224E, FS-224E-POE port21–port28

    FS-248D, FS-248D-FPOE

    port45–port52

    FS-248D-POE

    port47–port50

    FS-248E-POE, FS-248E-FPOE

    port45–port52

    FS-424D, FS-424D-POE, FS-424D-FPOE

    port23–port26

    FS-424E-Fiber

    port1-port30

    FS-426E-FPOE-MG

    port23-port30

    FS-448D, FS-448D-POE, FS-448D-FPOE

    port45–port52

    FS-524D, FS-524D-FPOE

    port21–port30

    FS-548D

    port39–port54

    FS-548D-FPOE, FS-548DN

    port45–port54

    FS-1024D

    port1–port24

    FS-1024E, FS-T1024E

    port1–port26

    FS-1048D, FS-1048E

    port1–port52

    FS-3032D, FS-3032E

    port1–port32

    NOTE: Any port can be used for FortiLink if it is manually configured.

    You can use any of the switch ports for FortiLink.

    Automatic inter-switch links (ISLs)

    After a FortiSwitch unit is discovered and in FortiLink mode, all ports are enabled for FortiLink. Connect another FortiSwitch unit to any of the already discovered FortiSwitch ports, and the ISL is formed automatically, and the new unit is discovered by the FortiGate unit.

    Static ISL trunks

    In some cases, you might want to manually create an ISL trunk, for example, for FortiLink mode over a point-to-point layer-2 network or for FortiLink mode over a layer-3 network. You can also enable or disable automatic VLAN configuration on the manually created (static) ISL trunk. The static ISL feature can also be used to lock down the FortiLink topology after automatic discovery. Locking down the Security Fabric topology prevents the automatically created ISLs and ICLs from being accidentally deleted.

    To manually create an ISL trunk in the CLI:

    config switch trunk

    edit "<trunk_name>"

    set static-isl enable

    set static-isl-auto-vlan {enable | disable}

    end

    Locking down the ISL trunk in the GUI (when there is a single FortiLink interface):

    1. Go to WiFi & Switch Controller > FortiLink Interface.

    2. Enable Lockdown ISL.

    Locking down the ISL trunk in the GUI (when there are two or more FortiLink interfaces):

    1. Go to WiFi & Switch Controller > FortiLink Interface.

    2. Right-click the FortiLink interface in the Name column.

    3. Click Lockdown ISL.

    Note

    Locking down ISLs and ICLs is one of the recommendations in the Security Rating report (Security Fabric > Security Rating).

    Deleting a FortiLink interface

    If you have any problems with deleting a FortiLink interface, disable it first using the CLI:

    config switch interface

    edit <FortiLink_interface_name>

    set fortilink disable

    end

    Previous
    Next

    Configuring FortiLink

    Configuring FortiLink

    Tooltip

    You need to physically connect the FortiSwitch unit to the FortiGate unit only after completing this section. Some settings are only possible when the FortiGate unit has not authorized any switches.
    To configure FortiLink:

    1. Enabling the switch controller on the FortiGate unit

    2. Configuring the FortiLink interface

    3. Auto-discovery of the FortiSwitch ports

    1. Enabling the switch controller on the FortiGate unit

    Before connecting the FortiSwitch and FortiGate units, ensure that the switch controller feature is enabled on the FortiGate unit with the FortiGate GUI or CLI to enable the switch controller. Depending on the FortiGate model and software release, this feature might be enabled by default.

    Using the FortiGate GUI
    1. Go to System > Feature Visibility.
    2. Turn on the Switch Controller feature, which is in the Core Features list.
    3. Select Apply.

    The menu option WiFi & Switch Controller now appears.

    Using the FortiGate CLI

    Use the following commands to enable the switch controller:

    config system global

    set switch-controller enable

    end

    2. Configuring the FortiLink interface

    The FortiLink interface is created automatically as an aggregate interface type; if the FortiGate model does not support the aggregate interface type, the FortiLink interface is created automatically as a hardware switch. Fortinet recommends keeping the default type of the FortiLink; however, if a physical interface or soft-switch interface type is required, the interface must be enabled for FortiLink using the FortiOS CLI, and then the default FortiLink interface can be deleted.

    The FortiLink interface type is dependent on the network topology to be deployed. See Determining the network topology.

    Using the FortiGate GUI

    This section describes how to configure a FortiLink between a FortiSwitch unit and a FortiGate unit.

    You can configure FortiLink using the FortiGate GUI or CLI. Fortinet recommends using the GUI because the CLI procedures are more complex (and therefore more prone to error).

    If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

    Configure the FortiLink interface

    To configure the FortiLink interface on the FortiGate unit:
    1. Go to WiFi & Switch Controller > FortiLink Interface.
    2. Select + in the Interface members field and then select the ports to add to the FortiLink interface.
      NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, right-click the FortiLink physical port, select Edit, delete the port from the Interface Members field, and then select OK.
    3. Configure the IP/Network Mask for your network.
    4. Select Automatically authorize devices.
    5. Select Apply.

    FortiLink split interface

    You can use the FortiLink split interface to connect the FortiLink aggregate interface from one FortiGate unit to two FortiSwitch units. When the FortiLink split interface is enabled, only one link remains active.

    The aggregate interface for this configuration must contain exactly two physical ports (one for each FortiSwitch unit).

    The FortiLink split interface is enabled by default. You can configure this feature with the FortiGate GUI and CLI.

    NOTE: The FortiLink split interface must be enabled before MCLAG is enabled on the FortiSwitch unit. After MCLAG is enabled, you can disable the FortiLink split interface to make both links active. See MCLAG peer groups.

    Using the FortiGate GUI:
    1. Go to WiFi & Switch Controller > FortiLink Interface.
    2. Move the FortiLink split interface slider.
    Using the FortiGate CLI:

    config system interface

    edit <name of the FortiLink interface>

    set fortilink-split-interface {enable | disable}

    end

    Using the FortiGate CLI

    This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).

    If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

    You can also configure FortiLink mode over a layer-3 network.

    Summary of the procedure

    1. On the FortiGate unit, configure the FortiLink interface.
    2. Authorize the managed FortiSwitch unit manually if you did not select Automatically authorize devices.

    For example, if the IP address, members, and automatic FortiSwitch authorization are enabled:

    config system interface

    edit "fortilink"

    set ip 172.16.16.254 255.255.255.0

    set member "port9" "port10"

    set auto-auth-extension-device enable

    next

    end

    If required, remove a physical port from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port1

    end

    end

    end

    2.1 Custom FortiLink interfaces

    Choosing the FortiGate ports

    The FortiLink can consist of a single (physical) or multiple ports (802.3ad aggregate, hardware switch, or software switch).

    FortiLink is supported on all Ethernet ports except HA and MGMT.

    If the default FortiLink interface was removed, on the FortiGate GUI, edit the interface and select Dedicated to FortiSwitch. Optionally, set the IP address and enable auto-authorization. Disable the split-interface if the interface is the aggregate type and is connecting all members to the same FortiSwitch unit.

    NOTE: The FortiLink interface type is dependent upon the network topology to be deployed. See Determining the network topology.

    Configure FortiLink on a physical port

    Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.

    In the following steps, port1 is configured as the FortiLink port.

    1. Configure port1 as the FortiLink interface with the customer IP address and automatic authorization:

      config system interface

      edit "port1"

      set fortilink enable

      set ip 172.16.16.254 255.255.255.0

      set auto-auth-extension-device enable

      next

      end

      If required, remove port1 from the lan interface:

      config system virtual-switch

      edit lan

      config port

      delete port1

      end

      end

      end

    2. (Optional) Configure an NTP server on port1:

      config system ntp

      set server-mode enable

      set interface port1

      end

    3. If automatic authorization is disabled, you need to manually authorize the FortiSwitch unit as a managed switch:

      config switch-controller managed-switch

      edit FS224D3W14000370

      set fsw-wan1-admin enable

      end

      end

    4. The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.

    Configure FortiLink on a logical interface

    You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch.

    LAG is supported on all FortiSwitch models. Check the FortiGate feature matrix to check which models support the hardware switch and LAG (802.3ad aggregate) interfaces.

    In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

    Using the GUI:

    To configure the FortiLink interface on the FortiGate unit:

    1. Go to Network > Interfaces and click Create New.
    2. Enter a name for the interface (11 characters maximum).
    3. For the type, select 802.3ad aggregate.
    4. Select + in the Interface members field and then select the ports to add to the FortiLink interface.

      NOTE: If you do not see any ports listed in the Select Entries pane, go to Network > Interfaces, edit the lan or internal interface, delete the port from the Interface Members field, and then click OK.

    5. Configure the IP/Network Mask for your network.
    6. Select Automatically authorize devices.
    7. Click Apply.

      If you want to add a third FortiLink interface, go to WiFi & Switch Controller > FortiLink Interface and click Create new.

    Using the CLI:

    1. If required, remove the FortiLink ports from the lan interface:

      config system virtual-switch

      edit lan

      config port

      delete port4

      delete port5

      end

      end

      end

    2. Create a trunk with the two ports that you connected to the switch:

      config system interface

      edit flink1 (enter a name with a maximum of 11 characters)

      set ip 172.16.16.254 255.255.255.0

      set type aggregate

      set member port4 port5

      set fortilink enable

      (optional) set fortilink-split-interface disable

      next

      end

      3. NOTE: If the members of the aggregate interface connect to the same FortiSwitch unit, you must disable fortilink-split-interface.

    Configure a LAG on a FortiLink-enabled software switch

    Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can configure a link-aggregation group (LAG) as a member of a software switch that is being used for FortiLink. Previously, you could not add a LAG to a software switch that was being used for FortiLink.

    Note

    • You must set fortilink-neighbor-detect to lldp.

    • Aggregate interfaces do not automatically form an inter-switch link (ISL) within a FortiGate software switch. You must create the aggregate interfaces and add them to the software switch.

    • The FortiSwitch unit will automatically form an ISL with correctly configured FortiGate aggregate interfaces.

    In the following example, aggregate1 and aggregate2 are FortiGate aggregate interfaces. The third interface, switch3, is a software switch with FortiLink enabled. The three interfaces are configured, and then aggregate1 and aggregate2 are added to the software switch interface.

    config system interface

    edit "aggregate1"

    set vdom "root"

    set type aggregate

    set member "port11"

    set device-identification enable

    set role lan

    set snmp-index 25

    next

    edit "aggregate2"

    set vdom "root"

    set type aggregate

    set member "port7"

    set device-identification enable

    set role lan

    set snmp-index 34

    next

    edit "switch3"

    set vdom "root"

    set fortilink enable

    set ip 10.255.1.1 255.255.255.0

    set allowaccess ping fabric

    set type switch

    set lldp-reception enable

    set lldp-transmission enable

    set snmp-index 26

    set fortilink-neighbor-detect lldp

    set swc-first-create 64

    config ipv6

    set ip6-send-adv enable

    set ip6-other-flag enable

    end

    next

    end

    config system switch-interface

    edit "switch3"

    set vdom "root"

    set member "aggregate1" "aggregate2"

    next

    end

    3. Auto-discovery of the FortiSwitch ports

    Note

    Starting with FortiSwitch 7.2.0, all ports are enabled for auto-discovery by default.

    NOTE: For details on how to connect the FortiSwitch topology, see Determining the network topology.

    By default, each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery. If you connect the FortiLink using one of these ports, no switch configuration is required.

    In FortiSwitchOS 3.4.0 and later releases, the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface command on the FortiSwitch unit to see the ports that have auto-discovery enabled.

    The following table lists the default auto-discovery ports for each switch model.

    FortiSwitch Model

    Default Auto-FortiLink ports

    FS-108D-POE

    port9–port10

    FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE

    port7–port10

    FSR-112D-POE

    port5–port12

    FS-124D, FS-124D-POE

    port23–port26

    FSR-124D

    port1-port4, port21–port28

    FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE

    port21–port28

    FS-148E, FS-148E-POE

    port21–port52

    FS-148F, FS-148F-POE, FS-148F-FPOE

    port48–port52

    FS-224D-POE

    port21–port24

    FS-224D-FPOE

    port21–port28
    FS-224E, FS-224E-POE port21–port28

    FS-248D, FS-248D-FPOE

    port45–port52

    FS-248D-POE

    port47–port50

    FS-248E-POE, FS-248E-FPOE

    port45–port52

    FS-424D, FS-424D-POE, FS-424D-FPOE

    port23–port26

    FS-424E-Fiber

    port1-port30

    FS-426E-FPOE-MG

    port23-port30

    FS-448D, FS-448D-POE, FS-448D-FPOE

    port45–port52

    FS-524D, FS-524D-FPOE

    port21–port30

    FS-548D

    port39–port54

    FS-548D-FPOE, FS-548DN

    port45–port54

    FS-1024D

    port1–port24

    FS-1024E, FS-T1024E

    port1–port26

    FS-1048D, FS-1048E

    port1–port52

    FS-3032D, FS-3032E

    port1–port32

    NOTE: Any port can be used for FortiLink if it is manually configured.

    You can use any of the switch ports for FortiLink.

    Automatic inter-switch links (ISLs)

    After a FortiSwitch unit is discovered and in FortiLink mode, all ports are enabled for FortiLink. Connect another FortiSwitch unit to any of the already discovered FortiSwitch ports, and the ISL is formed automatically, and the new unit is discovered by the FortiGate unit.

    Static ISL trunks

    In some cases, you might want to manually create an ISL trunk, for example, for FortiLink mode over a point-to-point layer-2 network or for FortiLink mode over a layer-3 network. You can also enable or disable automatic VLAN configuration on the manually created (static) ISL trunk. The static ISL feature can also be used to lock down the FortiLink topology after automatic discovery. Locking down the Security Fabric topology prevents the automatically created ISLs and ICLs from being accidentally deleted.

    To manually create an ISL trunk in the CLI:

    config switch trunk

    edit "<trunk_name>"

    set static-isl enable

    set static-isl-auto-vlan {enable | disable}

    end

    Locking down the ISL trunk in the GUI (when there is a single FortiLink interface):

    1. Go to WiFi & Switch Controller > FortiLink Interface.

    2. Enable Lockdown ISL.

    Locking down the ISL trunk in the GUI (when there are two or more FortiLink interfaces):

    1. Go to WiFi & Switch Controller > FortiLink Interface.

    2. Right-click the FortiLink interface in the Name column.

    3. Click Lockdown ISL.

    Note

    Locking down ISLs and ICLs is one of the recommendations in the Security Rating report (Security Fabric > Security Rating).

    Deleting a FortiLink interface

    If you have any problems with deleting a FortiLink interface, disable it first using the CLI:

    config switch interface

    edit <FortiLink_interface_name>

    set fortilink disable

    end

    Previous
    Next