FortiGate units can be used to remotely manage FortiSwitch units, which is also known as using a FortSwitch in FortiLink mode. FortiLink defines the management interface and the remote management protocol between the FortiGate and FortiSwitch.
Supported FortiSwitch models
The following table shows the FortiSwitch models that support FortiLink mode when paired with the corresponding FortiGate models and the listed minimum software releases.
|FortiSwitch||FortiGate||Earliest FortiSwitchOS||Earlist FortiOS|
|FS-124D||FGT-90D + FGT-60D||3.0.1||5.2.3|
|FS-124D-POE||FGT-90D + FGT-60D||3.0.1||5.2.3|
|FS-224D-FPOE||FGT-90D + FGT-60D||3.0.1||5.2.3|
Note that all FortiSwitches above also support FortiLink mode when paired with the following FortiGate models: 100D, 140D (POE, T1), 200D, 240D, 280D (POE), 600C, 800C, and 1000C.
FortiLink ports for each FortiSwitch model
Each FortiSwitch model provides one designated port for the FortiLink connection. The table below lists the FortiLink port for each model:
|FortiSwitch model||Port for FortiLink connection|
|FS-28C||WAN port 1|
|FS-448B (10G only)||WAN port (uplink 1)|
|FortiSwitch model Port for FortiLink connection|
|FS-348B Last port (port 48)|
|For all D-series switches, use the last (highest number) port for FortiLink. For example:|
|FS-108D-POE Last port (port 10)|
|FSR-112D-POE Last port (port 12)|
|FS-124D Last port (port 26). May require an SFP module.*|
|FS-224D-POE Last port (port 24)|
|FS-224D-FPOE Last port (port 28). May require an SFP module.*|
FortiLink ports for each FortiGate model
The following table shows the ports for each model of FortiGate that can be FortiLink-dedicated.
|FortiGate model||Port for FortiLink connection|
|FGT-90D, FGT-90D-POE, FWF-90D, FWF-90D-POE||port1 – port14|
|FGT-60D, FGT-60D-POE, FWF-60D, FWF-60D-POE||port1 – port7|
|FGT-100D||port1 – port16|
|FGT-140D , 140D-POE, 140D-POE-T1||port1 – port36|
|FGT-200D||port1 – port16|
|FGT-240D||port1 – port40|
|FGT-280D, FGT-280D-POE||port1 – port84|
|FGT-600C||port3 – port22|
|FGT-800C||port3 – port24|
|FGT-1000C||port3 – port14, port23, port24|
Auto-discovery of the FortiSwitch ports
In releases FortiSwitchOS 3.3.0 and beyond, the D-series FortiSwitch models support FortiLink auto-discovery, which is automatic detection of the port connected to the FortiGate.
You can use any of the switch ports for FortiLink. Use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:
config switch interface edit <port> set auto-discovery-fortilink enable
Note that some FortiSwitch ports are enabled for auto-discovery by default.
Each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery by default. If you connect the FortiLink using one of these ports, no switch configuration is required.
In general (in FortiSwitchOS 3.4.0 and later releases), the last four ports are the default auto-discovery FortiLink ports. The table below lists the default auto-discovery ports for each switch model:
|FortiSwitch model||Default Auto-FortiLink ports|
|FS-108D||ports 9 and 10|
|FSR-112D||ports 9, 10, 11, and 12|
|FS-124D, FS-124D-POE||ports 23, 24, 25, and 26|
|FS-224D-POE||ports 21, 22, 23, and 24|
|FS-224D-FPOE||ports 25, 26, 27, and 28|
|FS-248D-POE||ports 49, 50, 51, and 52|
|FS-248D-FPOE||ports 49, 50, 51, and 52|
|FS-424D, FS-424D-POE, FS-424D-FPOE||ports 25 and 26|
|FS-448D, FS-448D-POE, FS-448D-FPOE||ports 49, 50, 51, and 52|
|FS-524D, FS-524D-FPOE||ports 25, 26, 27, 28, 29, and 30|
|FS-548D, FS-548D-FPOE||ports 49, 50, 51, 52, 53, and 54|
|FS-1024D, FS-1048D, FS-3032D||all ports|
You can also run the show switch interface CLI command on the FortiSwitch to see the ports that have auto-discovery enabled.
Adding a Managed FortiSwitch to the FortiGate
The following steps show how to add a new managed FortiSwitch using the FortiGate GUI or the CLI.
Using the FortiGate GUI:
- Connect a cable from the designated FortiSwitch port to an unused port on the FortiGate. Refer to FortiLink ports for each FortiSwitch model for additional information.
- Go to Network > Interfaces and edit an internal port on the FortiGate.
- Set Addressing mode to Dedicated to FortiSwitch and select OK.
- As of FortiOS 5.4.0, the Managed FortiSwitch GUI option can only be accessed by enabling it through the CLI console.
Open the CLI console and enter the following command to make the switch controller available in the GUI, and to set the reserved subnetwork for the controller:
config system global set switch-controller enable
set switch-controller-reserved-network 169.254.254.0 255.255.255.0
- Go to WiFI & Switch Controller > Managed FortiSwitch. The new FortiSwitch should now be displayed in the table.
- Right-click on the FortiSwitch and select Authorize.
Using the FortiGate CLI:
Note that, for the example shown below, the FortiGate’s port1 is configured as the FortiLink port.
- If required, remove port1 from the lan interface:
config system virtual-switch edit lan config port delete port1
- Configure the interface for port1:
config system interface edit port1 set ip 172.20.120.10 255.255.255.0 set allowaccess capwap set vlanforward enable
- Configure an NTP server on port1:
config system ntp set server-mode enable set interface port1
- Authorize the FortiSwitch unit as a managed switch (note that that FortiSwitch will reboot once you issue the command below):
config switch-controller managed-switch
edit FS224D3W14000370 set fsw-wan1-admin enable
- Configure a DHCP server on port1:
config system dhcp server edit 0 set netmask 255.255.255.252 set interface port1 config ip-range edit 0 set start-ip 169.254.254.2 set end-ip 169.254.254.50
set vci-match enable set vci-string FortiSwitch set ntp-service local
Set the FortiSwitch to Remote Management mode
Use the FortiSwitch GUI or the CLI to set the remote management mode.
Note that the following steps are not necessary for FortiSwitchOS releases 3.3.0 or later.
Using the FortiSwitch GUI:
- Go to System > Dashboard > Status and locate the System Information
- Beside Operation Mode, select Change.
- Change Management Mode to FortiGate Remote Management and select OK.
- A warning will appear asking if you wish to continue. Select OK.
Using the FortiSwitch CLI:
config system global set switch-mgmt-mode fortilink
Configuring the FortiSwitch Remote Management port
If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.
To do this, from the FortiSwitch CLI, enter the following command:
config router static edit 1 set device mgmt
set gateway <router_IP_address> set dst <router_subnet> <subnet_mask>
Configuring FortiLink LAG
Starting with FortiOS 5.4.0 and FortiSwitchOS 3.3.0, you can configure the Fortilink as a Link Aggregation Group (LAG) to provide increased bandwidth between the FortiGate and FortiSwitch.
Connect any two ports on the FortiGate to two ports on the FortiSwitch. Make sure that you use the designated Fortilink port as one of the ports on the switch.
To configure the Fortilink as a LAG on the FortiGate, create a trunk (of type fortilink) with the two ports that you connected to the switch:
config system interface edit “fortilink” set vdom root
set allowaccess ping capwap http https set type fortilink set member port4 port5 set snmp-index 17 set lacp-mode static
end config system ntp set ntpsync enable set syncinterval 60 set server-mode enable set interface “fortilink”
There is no specific configuration required for the LAG on the switch.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!