Helpful ReplyHot!Unable to Correctly Set WAN Port on Fortigate 600D

Author
bellis1
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/01 06:03:36
  • Status: offline
2017/12/01 06:13:41 (permalink)
0

Unable to Correctly Set WAN Port on Fortigate 600D

We are implementing a Fortinet infrastructure into one of our main buildings. We are essentially building a new network for these users and we are looking for this system to mesh well with our existing devices. I am currently setting up a Fortigate 600D running v5.4.4.
 
I am trying to set up the WAN port on the Fortigate but every IP I assign to the port is erroring out, claiming that it belongs to our main firewall. The goal is to have a PAT so one external IP address (that belongs to our organization) should do it. At first we were trying to chase down ARP tables from different devices to figure out why that specific IP might be claimed, but as I started to toy around I noticed that even private IPs, externals that didn't belong to us, and IPs I was making up on the spot were claiming to be taken by our main firewall. Is this a bug with the Fortigate Software? 

As a work around, I was able to set the WAN IP to 0.0.0.0/0.0.0.0, disable the port, set the IP correctly to one of our globals, then enable the port but it's triggering all sorts of ARP flaps on multiple devices now, so I'd like to avoid that route. Any suggestions? 
post edited by bellis1 - 2017/12/08 12:43:02
#1
rwpatterson
Expert Member
  • Total Posts : 8050
  • Scores: 157
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/01 08:49:19 (permalink)
0
Welcome to the forums.
 
What is your goal here? If you simply want outside traffic to see you as an IP address, create an IP pool with that single address and use it inside of the outgoing policies.

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.18-b0689
FGT60B
FWF60B
FWF80CM (2)
FWF81CM
 
#2
bellis1
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/01 06:03:36
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/01 08:57:04 (permalink)
0
Thank you!
My goal here is to set this up a completely segmented network dedicated to monitoring traffic/altering bandwidth/blocking protocols for one of our main buildings we service. It will feature a separate DHCP pool than the rest of our campus utilizes. 
 
This is my first run in with FortiNet and I'm still in the beginning phases of setting up this device. Let me make sure I am understanding what you are saying... You are telling me not to define an IP of the WAN port? Instead to simply add the external IP I would like to use as a "pool" and alter my route to send all traffic out that pool? Is this standard practice for the FortiGate? Seems like a round-about way to do things.  
post edited by bellis1 - 2017/12/08 12:20:49
#3
rwpatterson
Expert Member
  • Total Posts : 8050
  • Scores: 157
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/01 10:37:26 (permalink)
0
Sorry, I do not have time to elaborate. (this thing called work is getting in the way) Please look for the Fortigate Cookbook. It explains in pretty good detail (from what I have heard) about how to configure a Fortigate Firewall. If time permits later, I will get back to this.
 
Bob

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.18-b0689
FGT60B
FWF60B
FWF80CM (2)
FWF81CM
 
#4
ede_pfau
Expert Member
  • Total Posts : 5271
  • Scores: 334
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/03 07:28:48 (permalink) ☄ Helpfulby bellis1 2017/12/04 06:14:45
0
I know what Bob is suggesting. My feeling is that it won't help, and no, this is not common practice.
There are 3 ways to associate an address with an interface:
- define it as primary address (GUI/CLI)
- define it as secondary (tertiary,...) address (secondary in GUI, others in CLI)
- define a VIP (virtual IP) associated with this interface
 
All of which would work even as a single measure (ie., a VIP would even work if there is no interface address at all).
But the common way is to define a primary IP on the WAN interface. Throwing an error message could be a bug but could as well be rightful.
One thing to keep in mind is that the FGT is a router. No 2 interfaces may use addresses from the same collision domain. You can check address overlap for instance by looking at the routing table (Routing > Monitor).
 
Lately, I've had serious trouble with the GUI blocking an address setting because "address overlap with management port setting". Management ports have the special quality that they explicitely allow an address from a otherwise configured subnet, for instance the LAN port.
It turned out the the new "role" parameter in the GUI/CLI caused this. Setting the address in CLI always worked, and setting the role to "undefined" let me set the address in the GUI as well. You might check this.
 
If you still have problems then please provide more info on the address spaces used: which addresses are assigned to the ports, which netmasks are used (check them!). I guess you use a transfer net between the HQ FGT (WAN port) and the branch FGT.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#5
bellis1
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/01 06:03:36
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/04 06:22:21 (permalink)
0
Thanks for the response. I have only tried setting the WAP IP using the GUI, so I can't speak to results via the CLI. I was able to set the IP using the method I discussed in the original posting, but I am now unable to change any information on it without resetting it back to 0.0.0.0, then making the change. 
 
One of my MGMT ports is set to the default IP (which does not overlap with my created range) and the second is set to an address that allows the FortiGate to be managed via our internal network, so again, no overlap there. 
 
Thanks for the suggestion of setting the interface to undefined. I'll give that a shot and let you know how it turns out. I'll go back to the drawing board and take a look at my designed IP ranges to ensure there's no overlap or faults. 
 
Thanks again! 
 
EDIT: I found that what was throwing me off was indeed an overlap in the network ranges. 
post edited by bellis1 - 2017/12/08 12:53:03
#6
tanr
Gold Member
  • Total Posts : 389
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/04 12:11:50 (permalink) ☄ Helpfulby bellis1 2017/12/04 13:14:34
0
I think the key point from ede_pfau was that in general no two interfaces on the FortiGate can use addresses that are in the same subnet.  If they did, since the FortiGate is a router and (mostly) not a switch, you would have some messy routing problems.
 
*However*, there are some ways to have multiple IPs on the same interface (such as defining secondary IPs on a single interface) or to have multiple physical interfaces (with the same IP) that are all on the same subnet or part of the same vlan (defining them as members of a hardware or software switch, or as an aggregate depending on what you're doing).  If you want to get complicated you can even define multiple VDOMs on the FortiGate and since each VDOM functions like a separate router each could have their own interface with its own IP for each of your subnets.
 
I think the confusion is that we're not really clear on what you're doing.  If you could provide a simple network diagram of what you want to do, and maybe what the motivation is, we could probably give better answers.
#7
bellis1
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/01 06:03:36
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/04 12:58:39 (permalink)
0
Thanks for chiming in, everyone. Your information is very helpful. 
 
After the original posting, I went back to check my configurations on the FortiGate and I did find that I was trying to assign multiple ports with the same IP range. My understanding was that I could not only use the FortiGate as a Firwall/Router, but also as a distribution switch (the 9 SFP ports on the FortiGate are to blame, I guess). 
 
Could you speak more to the Hardware/Software switch and Aggregate configurations? Since I am not allowed to configure multiple ports with the same range, I'd like to configure 1 switch port from the FortiGate and this switch in-turn link the other switches.
 
Anyhow, this is our setup: We have 1 Fortigate 600D, 5 FortiSwitch 224D's and 50 or so FortiAPs. My intent is to do the following:
 
  • Rack the Fortigate in the MDF of our building. I will uplink the FGT using our existing infrastructure and untag the port for our external vlan using an available global IP provided by our ISP.
  • I will configure 1 SFP port on the Fortigate to act as a LAN and as a Dedicated Switch Port. This will uplink switch 1 and multiple APs will be directly connected to the switch via an ethernet connection. Clients should be able to pull IP addresses via DHCP from the APs. 
  • Each switch will be uplinked via the SFP ports on the switch above it (FGT will uplink SW1, SW1 will uplink SW2, SW2 will uplink SW3...) The switching infrastructure will span across multiple IDFs. 10+ APs will also be directly connected to each switch via eth. Again, clients should be able to pull a DHCP address from each AP. I will define an IP pool dedicated to wireless access.
  • I would like for the switches to be controlled from the FortiGate (SW1 would be .11, SW2 would be .12, SW3 would be .13...) This should give you an idea of my end goal. 
post edited by bellis1 - 2017/12/08 13:08:29
#8
tanr
Gold Member
  • Total Posts : 389
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/04 16:17:20 (permalink) ☄ Helpfulby bellis1 2017/12/08 13:32:59
0
The FortiGate can do switching, but it is more of a router and firewall.  If you create a switch interface on the FortiGate that contains multiple physical interfaces that switch interface will still normally have only a single IP.
 
I'm afraid I'm still not clear if you are trying to have separate subnets, or a single subnet?  Are the switches with the .10, .11 and .12 IPs all on the same subnet?  Or are you wanting to have separate subnets and separate vlans for layer 2 separation?
 
If all you want is to have everything connected to all the switches under the FortiGate be on the same subnet you can do that relatively simply with FortiGate switch interfaces or aggregates.  Let me know and I can elaborate.
  
Assuming this is a more complex setup, some thoughts:
 
Note that the FortiLink (Dedicated Switch) interface itself isn't anything but a FortiLink interface.  You mentioned wanting to make 1 SFP port the dedicated switch port port AND your lan port.  You can't do it quite that way.  But you can easily create a vlan interface (or multiple vlans) on top of the FortiLink interface to be your lan.  More below.
 
Your clients needing to get an IP address through DHCP might request it from the APs or the switches, but unless you've got your own separate DHCP server(s) you probably want DHCP IPs handed out centrally from the FortiGate.  The FortiGate makes creating a DHCP server on a vlan interface easy.
 
You'll have to decide if you want the various SSIDs on your FortiAPs to tunnel back to the FortiGate or to just be bridged onto an existing vlan (you can do both on the same FAP).  Its generally easier/faster to have them bridged, but not quite as secure.  Bridged also means you can easily have WiFi users and wired users on the same lan without doing much extra work.  I use bridged for non-publicly reachable AP locations, and tunnel for our guest SSID and for another SSID that connects to vulnerable hardware.
 
If you don't manage the FortiSwitches with the FortiGate (so no FortiLink connection) then you can connect multiple switches to multiple ports on the FortiGate using vlan tagged interfaces.  I have a 300D in this configuration.  For example, one physical interface on the 300D has 4 vlan interfaces created on it, and it is connected to a single port on our main switch which allows only those 4 vlans and only tagged packets.   Similarly, I have other physical ports with their own vlans connected to that same switch, and to other switches.  I could have create a hardware switch group on the FortiGate with its own vlan or vlans, which was connected to multiple switches that matched those vlans if desired.  Or an aggregated interface for more bandwidth, etc.
 
If you do manage the FortiSwitches from the FortiGate with a FortiLink connection, you can connect multiple switches, but how you connect them has some specific rules.  See http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-managing-fortiswitch-330-54/Stacking.htm for details.  
 
I'm part way through setting up a 5.4.6 100D with a few FortiSwitches.  My understanding is that with 5.4.x you can only have a *single* FortiLink interface on a FortiGate dedicated to the FortiSwitches. (5.6.x is a different story.)  You could do VDOMs on a single FortiGate to work around this if needed.
 
Only having a single FortiLink isn't quite as bad as it sounds, since that FortiLink interface can be a hardware/software switch interface (so comprising multiple physical interfaces), with multiple vlans created on it, connected directly to multiple FortiSwitches.  Or it can be an aggregate interface, with multiple physical interfaces, either all connected to one FortiSwitch in a stack of FortiSwitches connected by InterSwitchLink, or with some of the connections also going to the bottom of the stack as a standby connection.  Again, all of your vlans will get created on that single FortiLink interface.
 
With 5.6.x, according to the docs, you can have multiple FortiLink interfaces, but this has to be enabled from the CLI:
    config switch-controller global
        set allow-multiple-interfaces enable
    end
Unfortunately, it looks like the 5.6 GUI only supports working with vlans for the first FortiLink, so if you have mutliple FortiLinks you need to work with them through with CLI.  I really hope they add GUI support for multiple FortiLinks.  5.6 also gives you the option to MCLAG the switches together for switch HA.  I don't consider 5.6.2 stable enough to switch to yet, though.
 
5.4 Managed FortiSwitch Vlans: 
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-managing-fortiswitch-330-54/VLANconfig.htm
5.6 Managed FortiSwitch Vlans:
http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-managing-fortiswitch/GlobalCLIconfig.htm
 
Hope this helps instead of making things murkier!
 
#9
Prab
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/04 01:30:25
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/05 00:14:34 (permalink)
0
Hi Bellis1,
 
Just a comment, you can have 2 or more ports with the same IPv4 address on the FG. ;)
You could use the Software, hardware or an aggregate interface. Basically here you shall group different ports together & they all will have same IP address. Please make sure you understand the limitation of these port types before implementing them.
 
Thanks & regards,
Prab
#10
bellis1
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/01 06:03:36
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/06 10:28:51 (permalink)
0
My apologies for not clarifying. The switches would all be on the same subnet. The FortiLink connected to Switch1 will define the Subnet. .10 would be the SW1. SW2 would be .11 and would be connected to SW1. SW3 would be .12 and would be connected to SW2. So on and so forth. We would also create a VLAN for Access Points and a VLAN for Wireless Access. This can be defined inside of the SSID I will create.
 
This is the second time I’m hearing about switch interfaces and aggregates. Could you elaborate further?
 
We would definitely like to manage the FortiSwitches from the FortiGate (one central location). As of now we’ve got a FortiLink connection from the FortiGate to SW1.
   
Thanks for clarifying in regards to the FortiLink/LAN port. Having two being run to the same device seemed a bit redundant. 
 
In regards to the SSID’s, I would definitely like to tunnel them back to the FortiGate. There will be no wired clients utilizing the FortiNet Infrastructure. The only devices running on this setup will be the FortiGate, the FortiSwitches and the FortiAPs. Traffic would tunnel back to the FortiGate via the LAN and with the correct policies applied, traffic should exit the FortiGate via the WAN port. I am however planning to utilize traffic shaping/bandwidth control using this SSID. Not sure if that is relevant to the conversation…
 
Thanks a ton for your help. Your information is very valuable. 
post edited by bellis1 - 2017/12/08 13:22:36
#11
tanr
Gold Member
  • Total Posts : 389
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/06 12:31:51 (permalink)
0
Please note I'm NOT a FortiSwitch expert, so I might not be describing this the best way.  Hopefully someone else will jump in if I give you incorrect info.
 
If you are going to segregate your VLANs you'll probably want to change their subnets to match CIDR. A calculator that lets you plug in CIDRs or ranges is https://www.ipaddressguide.com/cidr. Remember not to use a VLAN ID of 1 as that is considered the default vlan.
 
Regarding DHCP and the LAN interface, if you're using FortiLink to the FortiSwitches you don't need to have separate cables for the lan interface. Everything should be able to go over the FortiLink, which acts as a vlan trunk and manages the switches as a stack. With the FortiLink controlling the switches, when you use the GUI to create FortiSwitch vlan interfaces those interfaces are actually getting created on top of the FortiLink interface. Your DHCP servers get created for those vlan interfaces. This might be made a little bit clearer by looking at http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-managing-fortiswitch-330-54/VLANconfig.htm  which shows the actual CLI objects that are getting created for this. You could make the FortiLink an aggregate interface if you want more bandwidth.
 
Regarding FortiAPs, if you're controlling them from the FortiGate and creating tunnelling SSIDs you'll want the FAPs on a vlan interface (probably untagged at the port they connect to) for which you've enabled CAPWAP. That will be separate from the SSID interface you create.
 
I'd suggest trying to test out simple cases before you do all this. Add a single FortiSwitch connected to a single FortiLink port on the FortiGate. Create a single vlan on top of it and set up security policies to let a user connected to the switch out to the wan (only outbound security policies). Add a second FortiSwitch connected to the first FortiSwitch by ISL. Get this working for some simple wired cases before you add in the FortiAPs. Try out the FortiAPs first with bridged SSIDs (so the FortiSwitch port they are on has the CAPWAP vlan untagged and whatever vlan the bridged SSID is tagged), then with tunnelled SSIDs, etc.
 
One gotcha if you do these simple test cases first is that the FortiGate won't let you change interfaces if they are referenced elsewhere and won't let you change vlan ids either. So converting from a simple config to a more complex one can mean almost starting over from scratch. One way you can partially work around this is to work with interface zones. Any new interface you create goes into an appropriate zone, then your security policies and most of your other work is with the zone. That way you can always just remove the interface from one zone and put it in another.
 
BTW, a lot of this is in the documentation and cookbook, but it can be difficult to sift out.  I keep hoping an updated version of UTM Security with Fortinet (https://www.amazon.com/UTM-Security-Fortinet-Mastering-FortiOS/dp/1597497479) will come out and include some of these details.
#12
bellis1
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/01 06:03:36
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/08 07:38:24 (permalink)
0
Been a day or so since I've last responded. My co-worker has been helping me figure this setup out. Just an update of where I'm at...
 
The FortiGate has basic internet connectivity. We defined multiple VLANs on the FortiLink port. For each VLAN we created, we also created an IPv4 policy which allows access internet connectivity. Each VLAN was tested successfully for pushing out the correct DHCP ranges (and all had internet connectivity). We extended the test to Access Points and defined a range inside of the SSID that the FortiAPs will broadcast. We were able to successfully connect to the SSID and again, get internet access.
 
This setup was tested using 1 FortiGate, 1 FortiSwitch and multiple FortiAPs. When we tried to introduce a second FortiSwitch, we were unable to manage both switches from the FortiGate.
 
Port 4 on the FortiGate is defined as a FortiLink and is connected to FortiSwitch1 on port 27. Port 28 on FortiSwitch1 is connected to port 27 on FortiSwitch2. I am unable to see FortiSwitch2 from the FortiGate.
 
 
We were able to configure FortiSwitch2 manually and successfully tested both our Access Point VLAN and our pre-defined SSID. We had internet connectivity, but none of it would be possible without connectivity from the MGMT interface. 
 
Is there a way centrally manage multiple FortiSwitches from the FortiGate? I have seen something about stacking so I want to be clear- each switch will have a separate IP Address and be racked in separate IDF's across the building. These will not be part of a traditional stack. 
 
post edited by bellis1 - 2017/12/08 13:32:43
#13
tanr
Gold Member
  • Total Posts : 389
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/08 10:54:30 (permalink)
0
Inter-switch links should be automatic.  That is, if your FortiGate has a FortiLink connection to FortSwitch #1, then adding a connection between FortiSwitch #1 and FortiSwitch #2 should automatically register it with the FortiGate to be authorized.  Unless your FortiGate's FortiLink interface has fortilink-stacking disable?
 
I'm offsite today, so can't easily check my configs.
#14
bellis1
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/01 06:03:36
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/08 11:33:46 (permalink)
0
Thanks for the response. 
 
The FortiGate definitely has a FortiLink connection to FortiSwitch1 via Port 4 to Port 27. FortiSwitch1 is displayed from the FortiGate in the "Managed FortiSwitch" section with the a black circle and a FortiLink logo on/around the port itself. Port 28, which is the uplink for FortiSwitch2 is green, but shows neither a circle or a FortiLink logo. 
 
The FortiAPs connected to FortiSwitch2 showed up for authorization but the switch has yet to. I ran the following commands from the FortiGate via the CLI but nothing has appeared to change. 
 
config system interface
edit port4
set fortilink-stacking enable 
 
Based on independent research, I'm starting to think I need to define the FortiLink as a Logical Interface. Does this sound right to you? From the documentation, it appears that this allows both ports 27 and ports 28 on FortiSwitch1 to be dedicated FortiLinks (FortiSwitch1 and FortiSwitch2's uplinks, respectively).
 
I can only assume this is a trickle down technology which would allow me to define FortiLinks down the line (on switches 2, 3 and 4)? 
post edited by bellis1 - 2017/12/08 13:44:41
#15
tanr
Gold Member
  • Total Posts : 389
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/08 14:43:35 (permalink)
0
Ah, sorry, missed your comment that this wouldn't actually be a stack.  In that case, you won't have any inter-switch links because those would be what handled the stacking (and trunking).
 
First off, I should ask: Is that what you want?  You don't want to manage the switches as a stack?  With a stack you still control which ports on which switches allow specific vlans, and you can still see the separate switches.  It just makes the management and trunking easier.  If you want to do stacking you'll need to have "set fortilink-stacking enable" on whatever your FortiGate's FortiLink interface is.  With my own stack, the switch ports I have connected by ISL were both set as auto-discovery-fortilink enable.
 
If you do want to control each switch separately from the FortiGate, then you're looking at example "Single FortiGate managing multiple FortiSwitches (using hardware or software switch interface)" example in http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-managing-fortiswitch-330-54/Stacking.htm.  In that case, you need your FortiLink interface needs to actually be a hardware or software switch interface, to which you add multiple physical port members.  This is still seen as a single interface, but you can then directly connect to each switch.  You'll also need to have "set fortilink-stacking disable" on your FortiLink interface.  I don't have this configured myself, so haven't done much testing with that setup.
#16
bellis1
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/01 06:03:36
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/11 06:34:04 (permalink)
0
I come from a Brocade environment where a traditional "stack" refers to 2 or more switches connected together via QSFP+ ports. All of our stacks in other buildings are in the same IDF. You can control each switch and its ports individually from the "active controller", but each stack has 1 single IP address and are treated as a single unit. 
 
Our five switches will be spanned across five different IDFs in a 100,000+ square foot facility. I would prefer each switch have its own IP address to make for easier troubleshooting but that is not necessarily required. My biggest concern is centralized management from the Fortigate. I still want to be able to control which ports on which switches allow specific vlans. 
 
I ran a "set fortilink-stacking enable" on the FortiLink interface last week but the ISL between SW2 and SW3 did not auto-configure as it should. With that being said, I have had to reload the FortiGate a few times to make changes to the FortiLink interface so I'm wondering if that would be required. 
 
Looking at that diagram you provided, I see that all FortiSwitches are connected directly to the FortiGate. This is not necessarily the infrastructure I am looking to implement. A single switch will be directly connected to the FortiGate but that is all. The second switch will be uplinked through the first switch, the third switch will be uplinked through the second switch, the fourth switch will be uplinked through the third switch and the fifth switch will be uplinked through the fourth switch. So technically there will be only one FortiLink configured on the FortiGate itself. The rest of the links will be from FortiSwitches. Is a SW/HW switch still the best option for this setup? 
 
Thank you so much for the help. You are very much appreciated! 
 
#17
tanr
Gold Member
  • Total Posts : 389
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Unable to Correctly Set WAN Port on Fortigate 600D 2017/12/11 10:28:30 (permalink)
0
If you want to chain your switches together as you describe, then that is a stack, just without switches in the same rack.   That is more like the "Single FortiGate managing a stack of several FortiSwitches" example, just without a standby FortiLink and without the redundant ISL from the last FortiSwitch in the stack to the first.  In this config you don't need to use the SW/HW switch on the FortiGate, though your FortiLink and ISLs can still be aggregates to give you more bandwidth.
 
I'm basically doing the same sort of stack, with just two small FortiSwitches and no standby FortiLink or redundant ISL return loop.  For me, this is really just a proof of concept test to see if this will work for us at our main office.  I'll probably add a third switch to the setup to test both the stack config and the two-tier config.
 
If you have a stacked (or second-tier) FortiSwitch that isn't getting automatically recognized when you connect it to the first managed FortiSwitch, have you confirmed that the ports being connected have auto-discovery-fortilink enabled?
 
If you need to set properties for a FortiSwitch port on a switch that is already being managed by the FortiGate you will need to create custom switch commands as in http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-managing-fortiswitch-330-54/AdditionalContent.htm.  Note that the 5.4.x documentation doesn't tell you that to put in a return character you use the special sequence "%0a".
 
I haven't been able to directly control the FortiSwitches by their IPs once they are managed by the FortiGate, but have used the custom commands as above.  I'm not sure I like the trade off of control vs. visibility.
#18
Jump to:
© 2017 APG vNext Commercial Version 5.5