Is FortiLink a Gimmick

Thanks for the your thoughts and insight. I’m going to take note of the incorrect NTP config causing issues too! ✌️

Fortilink gives you visibility and security at the access port level (aka as east-west traffic) whereas in a typical 2-tier/3-tier topology you will not. And as Mike says, you have to view FortiLink as an extension of the firewall itself down to the access port and this is really powerful.

Yes, please do the layer 3 video!

Good stuff man, thanks

Thanks for that. Could you please make a video about the FortiVM HA configuration (A-A) in VMware environment. I am stuck as it changes interface IP address everytime i try to create a cluster. would love to see a video about it. Chaoo

What the easiest way of turn off sip alg on a fortigate?

Please make a video about FortiAuthentificator, how to do all this stuff and about MAB, MAC dynamic

I totally agree with you. Could you do a video on stacking Fortiswitches?

Hi! Is possible create diferents fortilink on differents vdoms for share fortiswitchs ports? When I try to create a MCLag with export ports is not possible. BR

Hi Can you please guide is it possible to carry vlan data/production traffic on dedicated Fortilink ports (I mean can Fortilink carry control plane and data plane traffic simultaneously) ?
If not then my 2nd question is to verify that I need to create vlan 110 (name FS-test) and on fortilink interface and allow this vlan on Fortiswitch port 1 and create same vlan 110 (name "FGT-test) and allow on WAN port of FGT. Connect FGT port WAN with Fortiswitch port 1 and this will make the traffic through on vlan110. As per my understanding same vlan number can be used under Fortlink and WAN port but not same name for that vlan in our case it is vlan110.

Hey Mike, I have a FortiWifi 40F with several SSIDs on it, and I just got a FortiGate 70F that I would like to use as my new gateway along with a new FortiAP. Is it possible to manage the FortiWifi as a glorified AP from the WiFi controller of the 70F? I am looking to support roaming from the AP to the FWF and vice versa using the controller on the 70F. I would appreciate any guidance or suggestions. Thank you!

Have never successfully connected more than one switch to my gate... fortilink to a 124 and the from the 124 to several 108's works fine. all the switches connected to a single gate, gate gets all pissed.
Support says, it cant be done, can it Mike? optimally i would want 2 1gb interfaces from the gate to each switch. thanks man, dig your content, has helped a ton, cheers

Hey Mike, Can you setup two fortiswitches in standalone mode to be used as CORE switches with MCLAG-ICL? Basically what I want to do is to leave L3 routes at fortiswitch end

Hi Mike, hi guys. Mike, thanks for all the info you put out. Its been really helpful.
I have been trying to connect my fortiswitch to my fortigate (without using fortilink), and I barely find any document on that. I am stuck at this time. It would be great if I could get a link to a helpful resource in this respect. Thanks.

Hey Mike
Have you heard of the cert issue with 6.2.x? particular sites when the IPV4 policy is in proxy mode will give a cert error,
Allow invalid certs in the ssl security policy doesn't fix it, and the "fix" from TAC has been to put the IPV4 policy in flow mode, however this sacrifices some of the feature set I'm using.
Was so strange just out of nowhere no updates or anything on my part and my phone goes off the hook with complaints of web sites being blocked.

I want to know more about.. It

Can you setup the fortilink just for managment, and setup other ports for data?

Best part is I can ship a switch to a site with no config and plug it in and remotely fully configure it as needed.

I noticed with FortiOS 7.0 the fortilink interfaces are coming up of type 802.3ad aggregate interfaces. Have you found that the FortiOS behaves fundamentally different with regard to Fortilink interfaces or do you feel that this is just more accurately describing what they were already doing?

Does it actually route traffic (native vlan and other vlans) over the fortilink or is it strictly for management only?

My main issue with it is the implementation. It lacks option/function on the switch. Updates always scares me because of new bugs (last update ports assigned to other vdoms where suddenly not working anymore) . Troubleshooting is very limited (Mirroring is very limited).
Sometimes I feel it is like managing a black box and get frustrated by its lack of flexibility. It looks nice for the end-customer. It made it easer to push security settings onto port level. But I would rather chooce a VPC or Stack setup with best in class HW.

Can be done vdom on the fortiswitch?

i'm giggling my ass off cuz my wife just came in to talk about our kids or something... (she always says I never listen to her, or yada yada yada... whatever... anyway, I pressed pause and after she finished yelling at me she looked at my screen, stopped at about 03:59... i caught a perfectly crazed look on your face... to which she said, "omg - what are you even watching... why can't you just watch porn like a normal person"... some people will never appreciate the beauty of networking... keep up the great work!

I would like you (if possible) to make a video about how slow is the FortiOS webui in some versions.
Sometimes, Fortinet release a new version with a bunch of fixes but they don't bother to fix the slow webui.
Like yesterday, I upgraded 6KF from 5.6.7 to 6.2.3 , and as you may know, this device not every version applies to it and you need to wait long time until they release a version that applies to it. So we upgraded to 6.2.3 , got new features, but damn it the webui is very slow, 20 seconds need to wait until it start showing the policies .. And guess what, I read all the known issues in this version release notes but they didn't mention it. Fortinet TAC says its an internal bug not published ..... I'm tired of this sh*t

oh, you look like a guru

VLANs on the Switch Controller via FortLink makes it look like it’s a routed uplink between the gate and switch because the existing vlans from the gate can’t be tagged down to the switch (that I know of). You have to create them on the switch controller and remove them from the gate.
This approach of managing vlans on the switch controller itself is really misleading (intentional or not) from a technical perspective. It’s a dot1q trunk, not a routed uplink.

Michael, you should see a corrective chiropractor who does X-rays to fix your migraine issues

Those switches are miserable if you don’t manage it with a fortigate.

I currently have about 30 Fortiswitches connected to my 1500D HA cluster via Layer 3 Fortilink. I have seen a number of issues. My absolute number one pet peeve is that Fortinet made the capwap discovery of the controller a shit show. Wireless AP's from every vendor have been discovering controllers for a very long time. There is no reason that I should have to connect to the cli of each switch to tell it to discover the controller via dhcp.. foolish. If I'm doing it wrong please set me strait.

The most frustrating thing is that if you add a switch later after you configure a Gate, you have to redo all of your interfaces if you run multiple VLANs, because your existing FW VLANs don’t translate down to the switch. Actually, even if you don’t have any VLANs you have to redo everything.
And Fortinet names them all crazy - vsw.lan2. It also assigns it VLAN1 by default. I’m sure you can change those things from the CLI?? If you delete the existing interfaces created by FortiLink, your link stops. Lots of caveats you need to be aware of.
If I’m wrong - let me know.