Fortinet black logo

Using the FortiGate CLI

Copy Link
Copy Doc ID daae6d6f-d2a0-11ea-96b9-00505692583a:891962
Download PDF

Using the FortiGate CLI

This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

You can also configure FortiLink mode over a layer-3 network.

Summary of the procedure

  1. Configure FortiLink on a physical port or configure FortiLink on a logical interface.
  2. Configure NTP.
  3. Authorize the managed FortiSwitch unit.
  4. Configure DHCP.

Configure FortiLink on a physical port

Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.

In the following steps, port 1 is configured as the FortiLink port.

  1. If required, remove port 1 from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port1

    end

    end

    end

  2. Configure port 1 as the FortiLink interface:

    config system interface

    edit port1

    set auto-auth-extension-device enable

    set fortilink enable

    end

    end

  3. Configure an NTP server on port 1:

    config system ntp

    set server-mode enable

    set interface port1

    end

  4. Authorize the FortiSwitch unit as a managed switch:

    config switch-controller managed-switch

    edit FS224D3W14000370

    set fsw-wan1-admin enable

    end

    end

  5. The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.

Configure FortiLink on a logical interface

You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch.

LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch unit. Ensure that you configure auto-discovery on the FortiSwitch ports (unless it is auto-discovery by default).

NOTE: Starting with FortiOS 6.2.2, you can use the default fortilink aggregate interface and then add ports. This configuration is available for all FortiGate E series models, 100 and higher. For FortiGate models lower than 100, you can use the default fortilink hardware switch or software switch interface and then add ports.

In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

  1. If required, remove the FortiLink ports from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port4

    delete port5

    end

    end

    end

  2. Create a trunk with the two ports that you connected to the switch:

    config system interface

    edit flink1 (enter a name, 11 characters maximum)

    set ip 169.254.3.1 255.255.255.0

    set allowaccess ping capwap https

    set vlanforward enable

    set type aggregate

    set member port4 port5

    set lacp-mode static

    set fortilink enable

    (optional) set fortilink-split-interface enable

    next

    end


  3. NOTE: If the members of the aggregate interface connect to more than one FortiSwitch, you must enable fortilink-split-interface.

  4. Authorize the FortiSwitch unit as a managed switch:

    config switch-controller managed-switch

    edit FS224D3W14000370

    set fsw-wan1-admin enable

    end

    end

    The GUI now shows multiple FortiLink interfaces.

NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.

Multiple FortiLink interfaces

You can create multiple FortiLink interfaces by creating an interface and enabling the fortilink setting. From the GUI, use the following steps:

  1. The first FortiLink interface is created by the system by default.
  2. To create a second FortiLink interface:
    1. If you are not using a physical port, create an interface from Network > Interfaces (the supported types are aggregate, hardware switch, or software switch). You only need to specify the interface members and the IP address.
    2. Enable FortiLink from the CLI:

      # config system interface

      edit <name>

      set fortilink enable

      end

    The GUI now shows multiple FortiLink interfaces.

You can create additional FortiLink interfaces using the GUI.

FortiLink mode over a layer-3 network

NOTE: Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.

This feature allows FortiSwitch islands to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FortiSwitch islands contain one or more FortiSwitch units.

There are two main deployment scenarios for using FortiLink mode over a layer-3 network:

  • In-band management, which uses the FortiSwitch unitʼs internal interface to connect to the layer-3 network
  • Out-of-band management, which uses the FortiSwitch unitʼs mgmt interface to connect to the layer-3 network

In-band management

To configure a FortiSwitch unit to operate in a layer-3 network:

NOTE: You must enter these commands in the indicated order for this feature to work.

  1. Reset the FortiSwitch to factory default settings with the execute factoryreset command.
  2. Manually set the FortiSwitch unit to FortiLink mode:

    config system global

    set switch-mgmt-mode fortilink

    end


  3. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery to find the IP address of the FortiGate unit (switch controller) that manages this switch. The default dhcp-option-code is 138.
    To use DHCP discovery:

    config switch-controller global

    set ac-discovery-type dhcp

    set dhcp-option-code <integer>

    end


    To use static discovery:

    config switch-controller global

    set ac-discovery-type static

    config ac-list

    edit <id>

    set ipv4-address <IPv4_address>

    next

    end

    end


  4. Configure only one physical port or LAG interface of the FortiSwitch unit as an uplink port. When the FortiSwitch unit is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

    config switch interface

    edit <port_number>

    set fortilink-l3-mode enable

    end

    end


    The fortilink-l3-mode command is only visible after you configure DHCP or static discovery.

NOTE:

  • Make certain that each FortiSwitch unit can successfully ping the FortiGate unit.
  • The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.
  • If more than one port (switch interface) has fortilink-l3-mode enabled, the FortiSwitch unit automatically forms a link aggregation group (LAG) trunk that contains all fortilink-l3-mode-enabled ports as a single logical interface.
  • If you have more than one port with fortilink-l3-mode enabled, all ports are automatically added to the __FoRtILnk0L3__ trunk. Make certain that the layer-3 network is also configured as a LAG with a matching LACP mode.
  • In addition to the two layer-3 discovery modes (DHCP and static), there is the default layer-2 discovery broadcast mode. The layer-3 discovery multicast mode is unsupported.

Connecting additional FortiSwitch units to the first FortiSwitch unit

In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches then form an auto-ISL. You only need to configure the discovery settings (see Step 3) for additional switches (FortiSwitch 2 in the following diagram). You do not need to enable fortilink-l3-mode on the uplink port. Check that each FortiSwitch unit can reach the FortiGate unit.

Out-of-band management

If you use the mgmt port to connect to the layer-3 network, you do not need to enable fortilink-l3-mode on any physical port because the mgmt port is directly connected to the layer-3 network.

Note

You can use the internal interface for one FortiSwitch island to connect to the layer-3 network and the mgmt interface for another FortiSwitch island to connect to the same layer-3 network. Do not mix the internal interface connection and mgmt interface connection within a single FortiSwitch island.

Other topologies

If you have a layer-2 loop topology, make certain that the alternative path can reach the FortiGate unit and that STP is enabled on the FortiLink layer-3 trunk.

If you have two FortiSwitch units separately connected to two different intermediary routers or switches, the uplink interfaces for both FortiSwitch units must have fortilink-l3-mode enabled. If the FortiSwitch units are also connected to each other, an auto-ISL forms automatically, and STP must be enabled to avoid loops.

A single logical interface (which can be a LAG) is supported when they use the internal interface as the FortiLink management interface.

You can use a LAG connected to a single intermediary router or switch. A topology with multiple ports connected to different intermediary routers or switches is not supported.

Limitations

The following limitations apply to FortiSwitch islands operating in FortiLink mode over a layer-3 network:

  • All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
  • No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
  • All FortiSwitch units within an FortiSwitch island must be connected to the same FortiGate unit.
  • The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any feature-configured destination, such as syslog or 802.1x.
  • Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
  • If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FortiSwitch island can contain only one FortiSwitch unit. All switch ports must remain in standalone mode. If you need more than one physical link, you can group the links as a link aggregation group (LAG).
  • Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
  • If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.
  • After a topology change, make certain that every FortiSwitch unit can reach the FortiGate unit.

Using the FortiGate CLI

This section describes how to configure FortiLink using the FortiGate CLI. Fortinet recommends using the FortiGate GUI because the CLI procedures are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with no configuration steps on the FortiSwitch and with a few simple configuration steps on the FortiGate unit.

You can also configure FortiLink mode over a layer-3 network.

Summary of the procedure

  1. Configure FortiLink on a physical port or configure FortiLink on a logical interface.
  2. Configure NTP.
  3. Authorize the managed FortiSwitch unit.
  4. Configure DHCP.

Configure FortiLink on a physical port

Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch.

In the following steps, port 1 is configured as the FortiLink port.

  1. If required, remove port 1 from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port1

    end

    end

    end

  2. Configure port 1 as the FortiLink interface:

    config system interface

    edit port1

    set auto-auth-extension-device enable

    set fortilink enable

    end

    end

  3. Configure an NTP server on port 1:

    config system ntp

    set server-mode enable

    set interface port1

    end

  4. Authorize the FortiSwitch unit as a managed switch:

    config switch-controller managed-switch

    edit FS224D3W14000370

    set fsw-wan1-admin enable

    end

    end

  5. The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command.

Configure FortiLink on a logical interface

You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch.

LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. Hardware switch is supported on some FortiGate models.

Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch unit. Ensure that you configure auto-discovery on the FortiSwitch ports (unless it is auto-discovery by default).

NOTE: Starting with FortiOS 6.2.2, you can use the default fortilink aggregate interface and then add ports. This configuration is available for all FortiGate E series models, 100 and higher. For FortiGate models lower than 100, you can use the default fortilink hardware switch or software switch interface and then add ports.

In the following procedure, port 4 and port 5 are configured as a FortiLink LAG.

  1. If required, remove the FortiLink ports from the lan interface:

    config system virtual-switch

    edit lan

    config port

    delete port4

    delete port5

    end

    end

    end

  2. Create a trunk with the two ports that you connected to the switch:

    config system interface

    edit flink1 (enter a name, 11 characters maximum)

    set ip 169.254.3.1 255.255.255.0

    set allowaccess ping capwap https

    set vlanforward enable

    set type aggregate

    set member port4 port5

    set lacp-mode static

    set fortilink enable

    (optional) set fortilink-split-interface enable

    next

    end


  3. NOTE: If the members of the aggregate interface connect to more than one FortiSwitch, you must enable fortilink-split-interface.

  4. Authorize the FortiSwitch unit as a managed switch:

    config switch-controller managed-switch

    edit FS224D3W14000370

    set fsw-wan1-admin enable

    end

    end

    The GUI now shows multiple FortiLink interfaces.

NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command.

Multiple FortiLink interfaces

You can create multiple FortiLink interfaces by creating an interface and enabling the fortilink setting. From the GUI, use the following steps:

  1. The first FortiLink interface is created by the system by default.
  2. To create a second FortiLink interface:
    1. If you are not using a physical port, create an interface from Network > Interfaces (the supported types are aggregate, hardware switch, or software switch). You only need to specify the interface members and the IP address.
    2. Enable FortiLink from the CLI:

      # config system interface

      edit <name>

      set fortilink enable

      end

    The GUI now shows multiple FortiLink interfaces.

You can create additional FortiLink interfaces using the GUI.

FortiLink mode over a layer-3 network

NOTE: Splitting ports is not supported when a FortiSwitch unit is managed through layer 3.

This feature allows FortiSwitch islands to operate in FortiLink mode over a layer-3 network, even though they are not directly connected to the switch-controller FortiGate unit. FortiSwitch islands contain one or more FortiSwitch units.

There are two main deployment scenarios for using FortiLink mode over a layer-3 network:

  • In-band management, which uses the FortiSwitch unitʼs internal interface to connect to the layer-3 network
  • Out-of-band management, which uses the FortiSwitch unitʼs mgmt interface to connect to the layer-3 network

In-band management

To configure a FortiSwitch unit to operate in a layer-3 network:

NOTE: You must enter these commands in the indicated order for this feature to work.

  1. Reset the FortiSwitch to factory default settings with the execute factoryreset command.
  2. Manually set the FortiSwitch unit to FortiLink mode:

    config system global

    set switch-mgmt-mode fortilink

    end


  3. Configure the discovery setting for the FortiSwitch unit. You can either use DHCP discovery or static discovery to find the IP address of the FortiGate unit (switch controller) that manages this switch. The default dhcp-option-code is 138.
    To use DHCP discovery:

    config switch-controller global

    set ac-discovery-type dhcp

    set dhcp-option-code <integer>

    end


    To use static discovery:

    config switch-controller global

    set ac-discovery-type static

    config ac-list

    edit <id>

    set ipv4-address <IPv4_address>

    next

    end

    end


  4. Configure only one physical port or LAG interface of the FortiSwitch unit as an uplink port. When the FortiSwitch unit is in FortiLink mode, VLAN 4094 is configured on an internal port, which can provide a path to the layer-3 network with the following commands:

    config switch interface

    edit <port_number>

    set fortilink-l3-mode enable

    end

    end


    The fortilink-l3-mode command is only visible after you configure DHCP or static discovery.

NOTE:

  • Make certain that each FortiSwitch unit can successfully ping the FortiGate unit.
  • The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. The NTP server must be reachable from the FortiSwitch unit.
  • If more than one port (switch interface) has fortilink-l3-mode enabled, the FortiSwitch unit automatically forms a link aggregation group (LAG) trunk that contains all fortilink-l3-mode-enabled ports as a single logical interface.
  • If you have more than one port with fortilink-l3-mode enabled, all ports are automatically added to the __FoRtILnk0L3__ trunk. Make certain that the layer-3 network is also configured as a LAG with a matching LACP mode.
  • In addition to the two layer-3 discovery modes (DHCP and static), there is the default layer-2 discovery broadcast mode. The layer-3 discovery multicast mode is unsupported.

Connecting additional FortiSwitch units to the first FortiSwitch unit

In this scenario, the default FortiLink-enabled port of FortiSwitch 2 is connected to FortiSwitch 1, and the two switches then form an auto-ISL. You only need to configure the discovery settings (see Step 3) for additional switches (FortiSwitch 2 in the following diagram). You do not need to enable fortilink-l3-mode on the uplink port. Check that each FortiSwitch unit can reach the FortiGate unit.

Out-of-band management

If you use the mgmt port to connect to the layer-3 network, you do not need to enable fortilink-l3-mode on any physical port because the mgmt port is directly connected to the layer-3 network.

Note

You can use the internal interface for one FortiSwitch island to connect to the layer-3 network and the mgmt interface for another FortiSwitch island to connect to the same layer-3 network. Do not mix the internal interface connection and mgmt interface connection within a single FortiSwitch island.

Other topologies

If you have a layer-2 loop topology, make certain that the alternative path can reach the FortiGate unit and that STP is enabled on the FortiLink layer-3 trunk.

If you have two FortiSwitch units separately connected to two different intermediary routers or switches, the uplink interfaces for both FortiSwitch units must have fortilink-l3-mode enabled. If the FortiSwitch units are also connected to each other, an auto-ISL forms automatically, and STP must be enabled to avoid loops.

A single logical interface (which can be a LAG) is supported when they use the internal interface as the FortiLink management interface.

You can use a LAG connected to a single intermediary router or switch. A topology with multiple ports connected to different intermediary routers or switches is not supported.

Limitations

The following limitations apply to FortiSwitch islands operating in FortiLink mode over a layer-3 network:

  • All FortiSwitch units using this feature must be included in the FortiGate preconfigured switch table.
  • No layer-2 data path component, such as VLANs, can span across layer 3 between the FortiGate unit and the FortiSwitch unit.
  • All FortiSwitch units within an FortiSwitch island must be connected to the same FortiGate unit.
  • The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any feature-configured destination, such as syslog or 802.1x.
  • Do not connect a layer-2 FortiGate unit and a layer-3 FortiGate unit to the same FortiSwitch unit.
  • If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FortiSwitch island can contain only one FortiSwitch unit. All switch ports must remain in standalone mode. If you need more than one physical link, you can group the links as a link aggregation group (LAG).
  • Do not connect a FortiSwitch unit to a layer-3 network and a layer-2 network on the same segment.
  • If the network has a wide geographic distribution, some features, such as software downloads, might operate slowly.
  • After a topology change, make certain that every FortiSwitch unit can reach the FortiGate unit.