Fortilink gives you visibility and security at the access port level (aka as east-west traffic) whereas in a typical 2-tier/3-tier topology you will not. And as Mike says, you have to view FortiLink as an extension of the firewall itself down to the access port and this is really powerful.
FortiLink is just a fancy trunk port on a FortiGate. Standard vlan trunking can work on it but the underlying protocol for switch management is what makes it fun on a FortiGate.
Hi! Is possible create diferents fortilink on differents vdoms for share fortiswitchs ports? When I try to create a MCLag with export ports is not possible. BR
Hi Can you please guide is it possible to carry vlan data/production traffic on dedicated Fortilink ports (I mean can Fortilink carry control plane and data plane traffic simultaneously) ? If not then my 2nd question is to verify that I need to create vlan 110 (name FS-test) and on fortilink interface and allow this vlan on Fortiswitch port 1 and create same vlan 110 (name "FGT-test) and allow on WAN port of FGT. Connect FGT port WAN with Fortiswitch port 1 and this will make the traffic through on vlan110. As per my understanding same vlan number can be used under Fortlink and WAN port but not same name for that vlan in our case it is vlan110.
Hey Mike Have you heard of the cert issue with 6.2.x? particular sites when the IPV4 policy is in proxy mode will give a cert error, Allow invalid certs in the ssl security policy doesn't fix it, and the "fix" from TAC has been to put the IPV4 policy in flow mode, however this sacrifices some of the feature set I'm using. Was so strange just out of nowhere no updates or anything on my part and my phone goes off the hook with complaints of web sites being blocked.
Have never successfully connected more than one switch to my gate... fortilink to a 124 and the from the 124 to several 108's works fine. all the switches connected to a single gate, gate gets all pissed. Support says, it cant be done, can it Mike? optimally i would want 2 1gb interfaces from the gate to each switch. thanks man, dig your content, has helped a ton, cheers
Absolutely can. Is hardware switch on fortigate doing fortilink with multiple switches connected directly recommended? No. Do I have it running fine all over the place? Yes. I recommend a aggregate fortilink with two distro switches stacked. From there your idf stacks connect up. Have big switch deployments running great like this.
Hey Mike, I have a FortiWifi 40F with several SSIDs on it, and I just got a FortiGate 70F that I would like to use as my new gateway along with a new FortiAP. Is it possible to manage the FortiWifi as a glorified AP from the WiFi controller of the 70F? I am looking to support roaming from the AP to the FWF and vice versa using the controller on the 70F. I would appreciate any guidance or suggestions. Thank you!
I noticed with FortiOS 7.0 the fortilink interfaces are coming up of type 802.3ad aggregate interfaces. Have you found that the FortiOS behaves fundamentally different with regard to Fortilink interfaces or do you feel that this is just more accurately describing what they were already doing?
My main issue with it is the implementation. It lacks option/function on the switch. Updates always scares me because of new bugs (last update ports assigned to other vdoms where suddenly not working anymore) . Troubleshooting is very limited (Mirroring is very limited). Sometimes I feel it is like managing a black box and get frustrated by its lack of flexibility. It looks nice for the end-customer. It made it easer to push security settings onto port level. But I would rather chooce a VPC or Stack setup with best in class HW.
Hey Mike, Can you setup two fortiswitches in standalone mode to be used as CORE switches with MCLAG-ICL? Basically what I want to do is to leave L3 routes at fortiswitch end
I suppose you could. 99% of the folks I know buy FortiSwitches and Manage from the Gate. Remember that MCLAG-ICL isn't the same as stacking switches. I would, personally, prefer to have the visibility of traffic crossing VLANs and what not.
Thanks for that. Could you please make a video about the FortiVM HA configuration (A-A) in VMware environment. I am stuck as it changes interface IP address everytime i try to create a cluster. would love to see a video about it. Chaoo
Vlanss are tied to vdoms, so when you push a vlan to fortiswitch port, you basically tie it to the vdom that the vlan belongs to. If i understood your question correctly.
i'm giggling my ass off cuz my wife just came in to talk about our kids or something... (she always says I never listen to her, or yada yada yada... whatever... anyway, I pressed pause and after she finished yelling at me she looked at my screen, stopped at about 03:59... i caught a perfectly crazed look on your face... to which she said, "omg - what are you even watching... why can't you just watch porn like a normal person"... some people will never appreciate the beauty of networking... keep up the great work!
VLANs on the Switch Controller via FortLink makes it look like it’s a routed uplink between the gate and switch because the existing vlans from the gate can’t be tagged down to the switch (that I know of). You have to create them on the switch controller and remove them from the gate. This approach of managing vlans on the switch controller itself is really misleading (intentional or not) from a technical perspective. It’s a dot1q trunk, not a routed uplink.
The most frustrating thing is that if you add a switch later after you configure a Gate, you have to redo all of your interfaces if you run multiple VLANs, because your existing FW VLANs don’t translate down to the switch. Actually, even if you don’t have any VLANs you have to redo everything. And Fortinet names them all crazy - vsw.lan2. It also assigns it VLAN1 by default. I’m sure you can change those things from the CLI?? If you delete the existing interfaces created by FortiLink, your link stops. Lots of caveats you need to be aware of. If I’m wrong - let me know.
Once an upstream switch has fortilink my FortiGates prevent me from overwriting them (the fortilink interfaces). Would love to hear more about your particular issue so we I can be more knowledgeable and maybe bitch at fortinet about it :P
Fortinet Guru Theres no issue per se. It’s just that if you have a gate, and later replace say Cisco switches with Fortinet switches, once the switch links up to the gate using FortiLink, you have to reconfigure all of your Gate interfaces if you want to present those VLANs down to your new switch. You have to configure them under the FortiLink interfaces as a sub-interface. By default, the switch will not recognize the existing interfaces/VLANs already configured on your Fortigate. So if you have VLAN2 on your gate, the switch doesn’t know about VLAN2. If you try to create VLAN2 on the switch, you can’t do it, it says VLAN2 already exists. The only way to make the switch know about VLAN2 is to delete that interface from the Gate, and recreate it under the switch. Which means all existing rules, interfaces, references, etc have to be deleted first, then recreated from scratch.
@@sullimd I was just playing around with fortilink and I noticed that. I had several vlans 10,20,30 with IP's on the fortigate and couldnt give the switch an ip on that vlan/network. I was looking at replacing some old cisco switches with fortinet switches. That is a major pain in the ass
Gio G Yep. Exactly. Just making sure I wasn’t the only one, or doing it wrong. I imagine a lot of people are starting with a new remote site, let’s say, and doing a new gate a 24 port switch with an AP. If you’re starting from scratch with it all, it’s pretty slick. If you’re replacing an existing switch with with a Fortinet switch, it’s a huge HUGE pain with a lot of downtime. You’d just about be better starting from scratch.
Hi Mike, hi guys. Mike, thanks for all the info you put out. Its been really helpful. I have been trying to connect my fortiswitch to my fortigate (without using fortilink), and I barely find any document on that. I am stuck at this time. It would be great if I could get a link to a helpful resource in this respect. Thanks.
I currently have about 30 Fortiswitches connected to my 1500D HA cluster via Layer 3 Fortilink. I have seen a number of issues. My absolute number one pet peeve is that Fortinet made the capwap discovery of the controller a shit show. Wireless AP's from every vendor have been discovering controllers for a very long time. There is no reason that I should have to connect to the cli of each switch to tell it to discover the controller via dhcp.. foolish. If I'm doing it wrong please set me strait.
@@FortinetGuru Absolutely. But a typical AP will do a controller discovery. Boot Up, check layer 2, then dhcp option 138, and many will fall back on a predefined DNS name. With a fortiswitch we have to jump through hoops. I have a documented procedure to follow for the 1st fortiswitch we install in a data closet and then a separate process for each additional switch. It is ugly. Perhaps it has gotten better since introduced in 6.0 but if so I am not aware. I have provided this procedure to my SE at his request,so that he could share them with other clients who were having issues. That leads me to believe them to be accurate.
I would like you (if possible) to make a video about how slow is the FortiOS webui in some versions. Sometimes, Fortinet release a new version with a bunch of fixes but they don't bother to fix the slow webui. Like yesterday, I upgraded 6KF from 5.6.7 to 6.2.3 , and as you may know, this device not every version applies to it and you need to wait long time until they release a version that applies to it. So we upgraded to 6.2.3 , got new features, but damn it the webui is very slow, 20 seconds need to wait until it start showing the policies .. And guess what, I read all the known issues in this version release notes but they didn't mention it. Fortinet TAC says its an internal bug not published ..... I'm tired of this sh*t
Thanks for the your thoughts and insight. I’m going to take note of the incorrect NTP config causing issues too! ✌️
I totally agree with you. Could you do a video on stacking Fortiswitches?
Sounds good
That would be a great video because I'm starting to get into FortiSwitches now.
Fortilink gives you visibility and security at the access port level (aka as east-west traffic) whereas in a typical 2-tier/3-tier topology you will not. And as Mike says, you have to view FortiLink as an extension of the firewall itself down to the access port and this is really powerful.
Please make a video about FortiAuthentificator, how to do all this stuff and about MAB, MAC dynamic
Yes, please do the layer 3 video!
Can you setup the fortilink just for managment, and setup other ports for data?
I have a NAS switch that I want to manage with Fortilink, but I don't want all the Vlans in it, just the 1 NAS network.
FortiLink is just a fancy trunk port on a FortiGate. Standard vlan trunking can work on it but the underlying protocol for switch management is what makes it fun on a FortiGate.
I want to know more about.. It
Hi! Is possible create diferents fortilink on differents vdoms for share fortiswitchs ports? When I try to create a MCLag with export ports is not possible. BR
Hi Can you please guide is it possible to carry vlan data/production traffic on dedicated Fortilink ports (I mean can Fortilink carry control plane and data plane traffic simultaneously) ?
If not then my 2nd question is to verify that I need to create vlan 110 (name FS-test) and on fortilink interface and allow this vlan on Fortiswitch port 1 and create same vlan 110 (name "FGT-test) and allow on WAN port of FGT. Connect FGT port WAN with Fortiswitch port 1 and this will make the traffic through on vlan110. As per my understanding same vlan number can be used under Fortlink and WAN port but not same name for that vlan in our case it is vlan110.
Hey Mike
Have you heard of the cert issue with 6.2.x? particular sites when the IPV4 policy is in proxy mode will give a cert error,
Allow invalid certs in the ssl security policy doesn't fix it, and the "fix" from TAC has been to put the IPV4 policy in flow mode, however this sacrifices some of the feature set I'm using.
Was so strange just out of nowhere no updates or anything on my part and my phone goes off the hook with complaints of web sites being blocked.
I’ve been avoiding 6.2.x at all costs
@@FortinetGuru We are having the same cert issue with 6.4.2. I have a ticket in as well.
Best part is I can ship a switch to a site with no config and plug it in and remotely fully configure it as needed.
Oh yeah. Or if one dies you can replace config for config with a simple command.
Have never successfully connected more than one switch to my gate... fortilink to a 124 and the from the 124 to several 108's works fine. all the switches connected to a single gate, gate gets all pissed.
Support says, it cant be done, can it Mike? optimally i would want 2 1gb interfaces from the gate to each switch. thanks man, dig your content, has helped a ton, cheers
Absolutely can. Is hardware switch on fortigate doing fortilink with multiple switches connected directly recommended? No. Do I have it running fine all over the place? Yes.
I recommend a aggregate fortilink with two distro switches stacked. From there your idf stacks connect up. Have big switch deployments running great like this.
Hey Mike, I have a FortiWifi 40F with several SSIDs on it, and I just got a FortiGate 70F that I would like to use as my new gateway along with a new FortiAP. Is it possible to manage the FortiWifi as a glorified AP from the WiFi controller of the 70F? I am looking to support roaming from the AP to the FWF and vice versa using the controller on the 70F. I would appreciate any guidance or suggestions. Thank you!
I noticed with FortiOS 7.0 the fortilink interfaces are coming up of type 802.3ad aggregate interfaces. Have you found that the FortiOS behaves fundamentally different with regard to Fortilink interfaces or do you feel that this is just more accurately describing what they were already doing?
They've been like that since 6.x afaik.
Aggregate interface means you can add interfaces and increase throughput. Still a fortilink interface.
Good stuff man, thanks
What the easiest way of turn off sip alg on a fortigate?
My main issue with it is the implementation. It lacks option/function on the switch. Updates always scares me because of new bugs (last update ports assigned to other vdoms where suddenly not working anymore) . Troubleshooting is very limited (Mirroring is very limited).
Sometimes I feel it is like managing a black box and get frustrated by its lack of flexibility. It looks nice for the end-customer. It made it easer to push security settings onto port level. But I would rather chooce a VPC or Stack setup with best in class HW.
Hey Mike, Can you setup two fortiswitches in standalone mode to be used as CORE switches with MCLAG-ICL? Basically what I want to do is to leave L3 routes at fortiswitch end
I suppose you could. 99% of the folks I know buy FortiSwitches and Manage from the Gate. Remember that MCLAG-ICL isn't the same as stacking switches. I would, personally, prefer to have the visibility of traffic crossing VLANs and what not.
Thanks for that. Could you please make a video about the FortiVM HA configuration (A-A) in VMware environment. I am stuck as it changes interface IP address everytime i try to create a cluster. would love to see a video about it. Chaoo
Does it actually route traffic (native vlan and other vlans) over the fortilink or is it strictly for management only?
It is a trunk port essentially that also carries the management protocol for the switches
Can be done vdom on the fortiswitch?
Not sure I follow
Vlanss are tied to vdoms, so when you push a vlan to fortiswitch port, you basically tie it to the vdom that the vlan belongs to. If i understood your question correctly.
@@FortinetGuru turn a switch into multiple virtual switchs like vdom do for fortigate. Like virtualizaion of the switch.
i'm giggling my ass off cuz my wife just came in to talk about our kids or something... (she always says I never listen to her, or yada yada yada... whatever... anyway, I pressed pause and after she finished yelling at me she looked at my screen, stopped at about 03:59... i caught a perfectly crazed look on your face... to which she said, "omg - what are you even watching... why can't you just watch porn like a normal person"... some people will never appreciate the beauty of networking... keep up the great work!
😂😂
Michael, you should see a corrective chiropractor who does X-rays to fix your migraine issues
I have been. Temporary benefit. Lasts an hour or two. For me, it could totally be a placebo effect though.
VLANs on the Switch Controller via FortLink makes it look like it’s a routed uplink between the gate and switch because the existing vlans from the gate can’t be tagged down to the switch (that I know of). You have to create them on the switch controller and remove them from the gate.
This approach of managing vlans on the switch controller itself is really misleading (intentional or not) from a technical perspective. It’s a dot1q trunk, not a routed uplink.
you think it looks like that. in reality it doesnt look like that at all
The most frustrating thing is that if you add a switch later after you configure a Gate, you have to redo all of your interfaces if you run multiple VLANs, because your existing FW VLANs don’t translate down to the switch. Actually, even if you don’t have any VLANs you have to redo everything.
And Fortinet names them all crazy - vsw.lan2. It also assigns it VLAN1 by default. I’m sure you can change those things from the CLI?? If you delete the existing interfaces created by FortiLink, your link stops. Lots of caveats you need to be aware of.
If I’m wrong - let me know.
Once an upstream switch has fortilink my FortiGates prevent me from overwriting them (the fortilink interfaces). Would love to hear more about your particular issue so we I can be more knowledgeable and maybe bitch at fortinet about it :P
Fortinet Guru Theres no issue per se. It’s just that if you have a gate, and later replace say Cisco switches with Fortinet switches, once the switch links up to the gate using FortiLink, you have to reconfigure all of your Gate interfaces if you want to present those VLANs down to your new switch. You have to configure them under the FortiLink interfaces as a sub-interface. By default, the switch will not recognize the existing interfaces/VLANs already configured on your Fortigate. So if you have VLAN2 on your gate, the switch doesn’t know about VLAN2. If you try to create VLAN2 on the switch, you can’t do it, it says VLAN2 already exists.
The only way to make the switch know about VLAN2 is to delete that interface from the Gate, and recreate it under the switch. Which means all existing rules, interfaces, references, etc have to be deleted first, then recreated from scratch.
@@sullimd I was just playing around with fortilink and I noticed that. I had several vlans 10,20,30 with IP's on the fortigate and couldnt give the switch an ip on that vlan/network. I was looking at replacing some old cisco switches with fortinet switches. That is a major pain in the ass
Gio G Yep. Exactly. Just making sure I wasn’t the only one, or doing it wrong. I imagine a lot of people are starting with a new remote site, let’s say, and doing a new gate a 24 port switch with an AP. If you’re starting from scratch with it all, it’s pretty slick. If you’re replacing an existing switch with with a Fortinet switch, it’s a huge HUGE pain with a lot of downtime. You’d just about be better starting from scratch.
TGSR - I feel your pain. This is a total PITA. WHY o WHY cant i just push my VLANs down to the FS?
Hi Mike, hi guys. Mike, thanks for all the info you put out. Its been really helpful.
I have been trying to connect my fortiswitch to my fortigate (without using fortilink), and I barely find any document on that. I am stuck at this time. It would be great if I could get a link to a helpful resource in this respect. Thanks.
Those switches are miserable if you don’t manage it with a fortigate.
oh, you look like a guru
I currently have about 30 Fortiswitches connected to my 1500D HA cluster via Layer 3 Fortilink. I have seen a number of issues. My absolute number one pet peeve is that Fortinet made the capwap discovery of the controller a shit show. Wireless AP's from every vendor have been discovering controllers for a very long time. There is no reason that I should have to connect to the cli of each switch to tell it to discover the controller via dhcp.. foolish. If I'm doing it wrong please set me strait.
Dhcp option 138 my man. Define the controller there.
@@FortinetGuru Absolutely. But a typical AP will do a controller discovery. Boot Up, check layer 2, then dhcp option 138, and many will fall back on a predefined DNS name. With a fortiswitch we have to jump through hoops. I have a documented procedure to follow for the 1st fortiswitch we install in a data closet and then a separate process for each additional switch. It is ugly. Perhaps it has gotten better since introduced in 6.0 but if so I am not aware. I have provided this procedure to my SE at his request,so that he could share them with other clients who were having issues. That leads me to believe them to be accurate.
I would like you (if possible) to make a video about how slow is the FortiOS webui in some versions.
Sometimes, Fortinet release a new version with a bunch of fixes but they don't bother to fix the slow webui.
Like yesterday, I upgraded 6KF from 5.6.7 to 6.2.3 , and as you may know, this device not every version applies to it and you need to wait long time until they release a version that applies to it. So we upgraded to 6.2.3 , got new features, but damn it the webui is very slow, 20 seconds need to wait until it start showing the policies .. And guess what, I read all the known issues in this version release notes but they didn't mention it. Fortinet TAC says its an internal bug not published ..... I'm tired of this sh*t