Fortinet Document Library

Version:


Table of Contents

6.2.0
Download PDF
Copy Link

FortiLink

FortiGate units can be used to remotely manage FortiSwitch units, which is also known as using a FortiSwitch in FortiLink mode. FortiLink defines the management interface and the remote management protocol between the FortiGate and FortiSwitch.

Different FortiGate models support remote management for varying numbers of FortiSwitches, as shown below:

FortiGate

Number of FortiSwitches

Up to FortiGate 98 and FortiGate VM01

8

FortiGate 100 to 280 and FortiGate VM02

24

FortiGate 300 to 5xx

48

FortiGate 600 to 900 and FortiGate VM04

64

FortiGate 1000 and up

128

FortiGate-3000 and up, and FortiGate VM08 and up

300

Supported FortiSwitch models

The following table shows the FortiSwitch models that support FortiLink mode when paired with the corresponding FortiGate models and the listed minimum software releases.

FortiSwitch

FortiGate

Earliest FortiSwitchOS

Earliest FortiOS

FS-224D-POE

FGT-90D (WiFi/POE)

3.0.0

5.2.2

FS-108D-POE

FGT-60D (all)

3.0.1

5.2.3

FSR-112D-POE

FGR-90D

3.0.1

5.2.3

FS-124D

FGT-90D + FGT-60D

3.0.1

5.2.3

FS-124D-POE

FGT-90D + FGT-60D

3.0.1

5.2.3

FS-224D-FPOE

FGT-90D + FGT-60D

3.0.1

5.2.3

Note that all FortiSwitches above also support FortiLink mode when paired with the following FortiGate models: 100D, 140D (POE, T1), 200D, 240D, 280D (POE), 600C, 800C, and 1000C.

FortiLink ports for each FortiSwitch model

Each FortiSwitch model provides one designated port for the FortiLink connection. The table below lists the FortiLink port for each model:

FortiSwitch model

Port for FortiLink connection

FS-28C

WAN port 1

FS-324B-POE

Management Port

FS-448B (10G only)

WAN port (uplink 1)

FS-348B

Last port (port 48)

For all D-series switches, use the last (highest number) port for FortiLink. For example:

FS-108D-POE

Last port (port 10)

FSR-112D-POE

Last port (port 12)

FS-124D

Last port (port 26). May require an SFP module.*

FS-224D-POE

Last port (port 24)

FS-224D-FPOE

Last port (port 28). May require an SFP module.*

* FortiSwitch 3.3.1 and later releases support the use of an RJ-45 port for FortiLink. For additional information, visit the Fortinet Support website.

FortiLink ports for each FortiGate model

The following table shows the ports for each model of FortiGate that can be FortiLink-dedicated.

FortiGate model

Port for FortiLink connection

FGT-90D, FGT-90D-POE, FWF-90D, FWF-90D-POE

port1 - port14

FGT-60D, FGT-60D-POE, FWF-60D, FWF-60D-POE

port1 - port7

FGT-100D

port1 - port16

FGT-140D , 140D-POE, 140D-POE-T1

port1 - port36

FGT-200D

port1 - port16

FGT-240D

port1 - port40

FGT-280D, FGT-280D-POE

port1 - port84

FGT-600C

port3 - port22

FGT-800C

port3 - port24

FGT-1000C

port3 - port14, port23, port24

Auto-discovery of the FortiSwitch ports

In releases FortiSwitchOS 3.3.0 and beyond, the D-series FortiSwitch models support FortiLink auto-discovery, which is automatic detection of the port connected to the FortiGate.

You can use any of the switch ports for FortiLink. Use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:

config switch interface

edit <port>

set auto-discovery-fortilink enable

next

end

Note that some FortiSwitch ports are enabled for auto-discovery by default.

Each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery by default. If you connect the FortiLink using one of these ports, no switch configuration is required.

In general (in FortiSwitchOS 3.4.0 and later releases), the last four ports are the default auto-discovery FortiLink ports. The table below lists the default auto-discovery ports for each switch model:

FortiSwitch model

Default auto-FortiLink ports

FS-108D

ports 9 and 10

FSR-112D

ports 9, 10, 11, and 12

FS-124D, FS-124D-POE

ports 23, 24, 25, and 26

FS-224D-POE

ports 21, 22, 23, and 24

FS-224D-FPOE

ports 25, 26, 27, and 28

FS-248D-POE

ports 49, 50, 51, and 52

FS-248D-FPOE

ports 49, 50, 51, and 52

FS-424D, FS-424D-POE, FS-424D-FPOE

ports 25 and 26

FS-448D, FS-448D-POE, FS-448D-FPOE

ports 49, 50, 51, and 52

FS-524D, FS-524D-FPOE

ports 25, 26, 27, 28, 29, and 30

FS-548D, FS-548D-FPOE

ports 49, 50, 51, 52, 53, and 54

FS-1024D, FS-1048D, FS-3032D

all ports

You can also run the show switch interface CLI command on the FortiSwitch to see the ports that have auto-discovery enabled.

Adding a managed FortiSwitch to the FortiGate

The following steps show how to add a new managed FortiSwitch using the FortiGate GUI or the CLI.

Note

For FortiSwitchOS releases prior to 3.3.0, you must Set the FortiSwitch to remote management mode before following the steps below.

To use the FortiGate GUI:
  1. Connect a cable from the designated FortiSwitch port to an unused port on the FortiGate. Refer to FortiLink ports for each FortiSwitch model for additional information.
  2. Go to Network > Interfaces and edit an internal port on the FortiGate.
  3. Set Addressing mode to Dedicated to FortiSwitch and select OK.
  4. As of FortiOS 5.4.0, the Managed FortiSwitch GUI option can only be accessed by enabling it through the CLI console.

    Open the CLI console and enter the following command to make the switch controller available in the GUI, and to set the reserved subnetwork for the controller:

    config system global

    set switch-controller enable

    set switch-controller-reserved-network 169.254.254.0 255.255.255.0

    end

  5. Go to WiFi & Switch Controller > Managed FortiSwitch. The new FortiSwitch should now be displayed in the table.
  6. Right-click on the FortiSwitch and select Authorize.
To use the FortiGate CLI:

This example shows the FortiGate's port1 configured as the FortiLink port.

  1. If required, remove port1 from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port1

    end

    end

    end

  2. Configure the interface for port1:

    config system interface

    edit port1

    set ip 172.20.120.10 255.255.255.0

    set allowaccess capwap

    set vlanforward enable

    end

    end

  3. Configure an NTP server on port1:

    config system ntp

    set server-mode enable

    set interface port1

    end

  4. Authorize the FortiSwitch unit as a managed switch (note that FortiSwitch will reboot once you issue the command below):

    config switch-controller managed-switch

    edit FS224D3W14000370

    set fsw-wan1-admin enable

    end

    end

  5. Configure a DHCP server on port1:

    config system dhcp server

    edit 0

    set netmask 255.255.255.252

    set interface port1

    config ip-range

    edit 0

    set start-ip 169.254.254.2

    set end-ip 169.254.254.50

    end

    set vci-match enable

    set vci-string FortiSwitch

    set ntp-service local

    end

    end

Set the FortiSwitch to remote management mode

Use the FortiSwitch GUI or the CLI to set the remote management mode.

Note that the following steps are not necessary for FortiSwitchOS releases 3.3.0 or later.

To use the FortiSwitch GUI:
  1. Go to Dashboard > Main > System Information.
  2. Beside Operation Mode, select Change.
  3. Change Management Mode to FortiGate Remote Management and select OK.
  4. A warning will appear asking if you wish to continue. Select OK.
To use the FortiSwitch CLI:

config system global

set switch-mgmt-mode fortilink

end

Configuring the FortiSwitch remote management port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

To configure the remote management port from the FortiSwitch using the CLI:

config router static

edit 1

set device mgmt

set gateway <router_IP_address>

set dst <router_subnet> <subnet_mask>

end

end

Configuring FortiLink LAG

Starting with FortiOS 5.4.0 and FortiSwitchOS 3.3.0, you can configure the FortiLink as a Link Aggregation Group (LAG) to provide increased bandwidth between the FortiGate and FortiSwitch.

Connect any two ports on the FortiGate to two ports on the FortiSwitch. Make sure that you use the designated FortiLink port as one of the ports on the switch.

You can configure the FortiLink as a LAG on the FortiGate by creating a trunk (of type fortilink) with the two ports that you connected to the switch.

To configure the FortiLink as a LAG on the FortiGate:

config system interface

edit "fortilink"

set vdom root

set allowaccess ping capwap http https

set type fortilink

set member port4 port5

set snmp-index 17

set lacp-mode static

next

end

config system ntp

set ntpsync enable

set syncinterval 60

set server-mode enable

set interface "fortilink"

end

There is no specific configuration required for the LAG on the switch.

FortiLink

FortiGate units can be used to remotely manage FortiSwitch units, which is also known as using a FortiSwitch in FortiLink mode. FortiLink defines the management interface and the remote management protocol between the FortiGate and FortiSwitch.

Different FortiGate models support remote management for varying numbers of FortiSwitches, as shown below:

FortiGate

Number of FortiSwitches

Up to FortiGate 98 and FortiGate VM01

8

FortiGate 100 to 280 and FortiGate VM02

24

FortiGate 300 to 5xx

48

FortiGate 600 to 900 and FortiGate VM04

64

FortiGate 1000 and up

128

FortiGate-3000 and up, and FortiGate VM08 and up

300

Supported FortiSwitch models

The following table shows the FortiSwitch models that support FortiLink mode when paired with the corresponding FortiGate models and the listed minimum software releases.

FortiSwitch

FortiGate

Earliest FortiSwitchOS

Earliest FortiOS

FS-224D-POE

FGT-90D (WiFi/POE)

3.0.0

5.2.2

FS-108D-POE

FGT-60D (all)

3.0.1

5.2.3

FSR-112D-POE

FGR-90D

3.0.1

5.2.3

FS-124D

FGT-90D + FGT-60D

3.0.1

5.2.3

FS-124D-POE

FGT-90D + FGT-60D

3.0.1

5.2.3

FS-224D-FPOE

FGT-90D + FGT-60D

3.0.1

5.2.3

Note that all FortiSwitches above also support FortiLink mode when paired with the following FortiGate models: 100D, 140D (POE, T1), 200D, 240D, 280D (POE), 600C, 800C, and 1000C.

FortiLink ports for each FortiSwitch model

Each FortiSwitch model provides one designated port for the FortiLink connection. The table below lists the FortiLink port for each model:

FortiSwitch model

Port for FortiLink connection

FS-28C

WAN port 1

FS-324B-POE

Management Port

FS-448B (10G only)

WAN port (uplink 1)

FS-348B

Last port (port 48)

For all D-series switches, use the last (highest number) port for FortiLink. For example:

FS-108D-POE

Last port (port 10)

FSR-112D-POE

Last port (port 12)

FS-124D

Last port (port 26). May require an SFP module.*

FS-224D-POE

Last port (port 24)

FS-224D-FPOE

Last port (port 28). May require an SFP module.*

* FortiSwitch 3.3.1 and later releases support the use of an RJ-45 port for FortiLink. For additional information, visit the Fortinet Support website.

FortiLink ports for each FortiGate model

The following table shows the ports for each model of FortiGate that can be FortiLink-dedicated.

FortiGate model

Port for FortiLink connection

FGT-90D, FGT-90D-POE, FWF-90D, FWF-90D-POE

port1 - port14

FGT-60D, FGT-60D-POE, FWF-60D, FWF-60D-POE

port1 - port7

FGT-100D

port1 - port16

FGT-140D , 140D-POE, 140D-POE-T1

port1 - port36

FGT-200D

port1 - port16

FGT-240D

port1 - port40

FGT-280D, FGT-280D-POE

port1 - port84

FGT-600C

port3 - port22

FGT-800C

port3 - port24

FGT-1000C

port3 - port14, port23, port24

Auto-discovery of the FortiSwitch ports

In releases FortiSwitchOS 3.3.0 and beyond, the D-series FortiSwitch models support FortiLink auto-discovery, which is automatic detection of the port connected to the FortiGate.

You can use any of the switch ports for FortiLink. Use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:

config switch interface

edit <port>

set auto-discovery-fortilink enable

next

end

Note that some FortiSwitch ports are enabled for auto-discovery by default.

Each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery by default. If you connect the FortiLink using one of these ports, no switch configuration is required.

In general (in FortiSwitchOS 3.4.0 and later releases), the last four ports are the default auto-discovery FortiLink ports. The table below lists the default auto-discovery ports for each switch model:

FortiSwitch model

Default auto-FortiLink ports

FS-108D

ports 9 and 10

FSR-112D

ports 9, 10, 11, and 12

FS-124D, FS-124D-POE

ports 23, 24, 25, and 26

FS-224D-POE

ports 21, 22, 23, and 24

FS-224D-FPOE

ports 25, 26, 27, and 28

FS-248D-POE

ports 49, 50, 51, and 52

FS-248D-FPOE

ports 49, 50, 51, and 52

FS-424D, FS-424D-POE, FS-424D-FPOE

ports 25 and 26

FS-448D, FS-448D-POE, FS-448D-FPOE

ports 49, 50, 51, and 52

FS-524D, FS-524D-FPOE

ports 25, 26, 27, 28, 29, and 30

FS-548D, FS-548D-FPOE

ports 49, 50, 51, 52, 53, and 54

FS-1024D, FS-1048D, FS-3032D

all ports

You can also run the show switch interface CLI command on the FortiSwitch to see the ports that have auto-discovery enabled.

Adding a managed FortiSwitch to the FortiGate

The following steps show how to add a new managed FortiSwitch using the FortiGate GUI or the CLI.

Note

For FortiSwitchOS releases prior to 3.3.0, you must Set the FortiSwitch to remote management mode before following the steps below.

To use the FortiGate GUI:
  1. Connect a cable from the designated FortiSwitch port to an unused port on the FortiGate. Refer to FortiLink ports for each FortiSwitch model for additional information.
  2. Go to Network > Interfaces and edit an internal port on the FortiGate.
  3. Set Addressing mode to Dedicated to FortiSwitch and select OK.
  4. As of FortiOS 5.4.0, the Managed FortiSwitch GUI option can only be accessed by enabling it through the CLI console.

    Open the CLI console and enter the following command to make the switch controller available in the GUI, and to set the reserved subnetwork for the controller:

    config system global

    set switch-controller enable

    set switch-controller-reserved-network 169.254.254.0 255.255.255.0

    end

  5. Go to WiFi & Switch Controller > Managed FortiSwitch. The new FortiSwitch should now be displayed in the table.
  6. Right-click on the FortiSwitch and select Authorize.
To use the FortiGate CLI:

This example shows the FortiGate's port1 configured as the FortiLink port.

  1. If required, remove port1 from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port1

    end

    end

    end

  2. Configure the interface for port1:

    config system interface

    edit port1

    set ip 172.20.120.10 255.255.255.0

    set allowaccess capwap

    set vlanforward enable

    end

    end

  3. Configure an NTP server on port1:

    config system ntp

    set server-mode enable

    set interface port1

    end

  4. Authorize the FortiSwitch unit as a managed switch (note that FortiSwitch will reboot once you issue the command below):

    config switch-controller managed-switch

    edit FS224D3W14000370

    set fsw-wan1-admin enable

    end

    end

  5. Configure a DHCP server on port1:

    config system dhcp server

    edit 0

    set netmask 255.255.255.252

    set interface port1

    config ip-range

    edit 0

    set start-ip 169.254.254.2

    set end-ip 169.254.254.50

    end

    set vci-match enable

    set vci-string FortiSwitch

    set ntp-service local

    end

    end

Set the FortiSwitch to remote management mode

Use the FortiSwitch GUI or the CLI to set the remote management mode.

Note that the following steps are not necessary for FortiSwitchOS releases 3.3.0 or later.

To use the FortiSwitch GUI:
  1. Go to Dashboard > Main > System Information.
  2. Beside Operation Mode, select Change.
  3. Change Management Mode to FortiGate Remote Management and select OK.
  4. A warning will appear asking if you wish to continue. Select OK.
To use the FortiSwitch CLI:

config system global

set switch-mgmt-mode fortilink

end

Configuring the FortiSwitch remote management port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

To configure the remote management port from the FortiSwitch using the CLI:

config router static

edit 1

set device mgmt

set gateway <router_IP_address>

set dst <router_subnet> <subnet_mask>

end

end

Configuring FortiLink LAG

Starting with FortiOS 5.4.0 and FortiSwitchOS 3.3.0, you can configure the FortiLink as a Link Aggregation Group (LAG) to provide increased bandwidth between the FortiGate and FortiSwitch.

Connect any two ports on the FortiGate to two ports on the FortiSwitch. Make sure that you use the designated FortiLink port as one of the ports on the switch.

You can configure the FortiLink as a LAG on the FortiGate by creating a trunk (of type fortilink) with the two ports that you connected to the switch.

To configure the FortiLink as a LAG on the FortiGate:

config system interface

edit "fortilink"

set vdom root

set allowaccess ping capwap http https

set type fortilink

set member port4 port5

set snmp-index 17

set lacp-mode static

next

end

config system ntp

set ntpsync enable

set syncinterval 60

set server-mode enable

set interface "fortilink"

end

There is no specific configuration required for the LAG on the switch.