Fortinet black logo

FortiSwitch (FortiLink) Cookbook

Home FortiSwitch 6.4.6 FortiSwitch (FortiLink) Cookbook

Set up the FortiGate device

6.4.6
6.4.6
6.4.2
6.0.1
Copy Link
Copy Doc ID 6ef27415-7086-11eb-9995-00505692583a:851883
Download PDF

Set up the FortiGate device

  1. Configure the routing so that the FortiGate device can reach the FortiSwitch units. For example, the following figure shows a static route to the network destination 10.33.33/24 used by the FortiSwitch units. The gateway IP address is 10.40.88.253, which is the address of the interface of the WAN router connected to the FortiGate unit.

  2. Configure a dedicated FortiLink interface to control the FortiSwitch units connected to the FortiGate device from remote locations. Use the CLI to configure the dedicated FortiLink interface, and then the interface will be listed in the FortiLink interface list in the GUI. Set the interface type to aggregate, specify the IP address, enable FortiLink, and set the source IP address of the switch controller to use a fixed IP address from the FortiLink interface itself.

    FGT_Switch_Controller # config system interface

    FGT_Switch_Controller (interface) # edit fol3_wan

    FGT_Switch_Controller (fol3_wan) # set vdom root

    FGT_Switch_Controller (fol3_wan) # set type aggregate

    FGT_Switch_Controller (fol3_wan) # set ip 172.17.1.254/24

    FGT_Switch_Controller (fol3_wan) # set fortilink enable

    FGT_Switch_Controller (fol3_wan) # set switch-controller-source-ip fixed

    FGT_Switch_Controller (fol3_wan) # end

  3. Configure a firewall policy to allow the connections from the FortiSwitch units. The service is CAPWAP (UDP port 5246). Configure the policy in the GUI first, specifying that the destination interface is the same as the source interface.

    Then edit the policy in the CLI and change the destination interface to the FortiLink interface.

    FGT_Switch_Controller # config firewall policy

    FGT_Switch_Controller (policy) # edit 5

    FGT_Switch_Controller (5) # show

    config firewall policy

    edit 5

    set name "fsw_to_fol3_wan"

    set uuid 98af1592-354d-51eb-e09e-8d8000c0663a

    set srcintf "wan"

    set dstintf "wan"

    set srcaddr "fsw"

    set dstaddr "fol3_wan_IP"

    set action accept

    set schedule "always"

    set service "CAPWAP" "ALL_ICMP"

    next

    end

    FGT_Switch_Controller (5) # set dstintf fol3_wan

    FGT_Switch_Controller (5) # end

    The firewall policy is listed in the GUI.

Previous
Next

Set up the FortiGate device

  1. Configure the routing so that the FortiGate device can reach the FortiSwitch units. For example, the following figure shows a static route to the network destination 10.33.33/24 used by the FortiSwitch units. The gateway IP address is 10.40.88.253, which is the address of the interface of the WAN router connected to the FortiGate unit.

  2. Configure a dedicated FortiLink interface to control the FortiSwitch units connected to the FortiGate device from remote locations. Use the CLI to configure the dedicated FortiLink interface, and then the interface will be listed in the FortiLink interface list in the GUI. Set the interface type to aggregate, specify the IP address, enable FortiLink, and set the source IP address of the switch controller to use a fixed IP address from the FortiLink interface itself.

    FGT_Switch_Controller # config system interface

    FGT_Switch_Controller (interface) # edit fol3_wan

    FGT_Switch_Controller (fol3_wan) # set vdom root

    FGT_Switch_Controller (fol3_wan) # set type aggregate

    FGT_Switch_Controller (fol3_wan) # set ip 172.17.1.254/24

    FGT_Switch_Controller (fol3_wan) # set fortilink enable

    FGT_Switch_Controller (fol3_wan) # set switch-controller-source-ip fixed

    FGT_Switch_Controller (fol3_wan) # end

  3. Configure a firewall policy to allow the connections from the FortiSwitch units. The service is CAPWAP (UDP port 5246). Configure the policy in the GUI first, specifying that the destination interface is the same as the source interface.

    Then edit the policy in the CLI and change the destination interface to the FortiLink interface.

    FGT_Switch_Controller # config firewall policy

    FGT_Switch_Controller (policy) # edit 5

    FGT_Switch_Controller (5) # show

    config firewall policy

    edit 5

    set name "fsw_to_fol3_wan"

    set uuid 98af1592-354d-51eb-e09e-8d8000c0663a

    set srcintf "wan"

    set dstintf "wan"

    set srcaddr "fsw"

    set dstaddr "fol3_wan_IP"

    set action accept

    set schedule "always"

    set service "CAPWAP" "ALL_ICMP"

    next

    end

    FGT_Switch_Controller (5) # set dstintf fol3_wan

    FGT_Switch_Controller (5) # end

    The firewall policy is listed in the GUI.

Previous
Next