Optional FortiLink configuration
This section covers the following topics:
- Assigning roles to FortiLink VLAN interfaces
- Using the FortiSwitch serial number for automatic name resolution
- Changing the admin password on the FortiGate for all managed FortiSwitch units
- Disabling the FortiSwitch console port login
- Using automatic network detection and configuration
- Limiting the number of parallel processes for FortiSwitch configuration
- Configuring access to management and internal interfaces
- Enabling FortiLink VLAN optimization
- Configuring the MAC sync interval
- Configuring the FortiSwitch management port
- Multiple FortiLink interfaces
- Grouping FortiSwitch units
- Improving the FortiLink connection
- FortiLink with HTTPS
Assigning roles to FortiLink VLAN interfaces
If you are using the FortiGate unitʼs security rating feature, you need to assign a role of LAN, WAN, or DMZ to your FortiLink VLAN interfaces before referencing them in any firewall policies. If this is not done, the security rating score is lowered until the issue is remedied, due to failing the “Interface Classification” requirement.
Using the FortiSwitch serial number for automatic name resolution
By default, you can check that FortiSwitch unit is accessible from the FortiGate unit with the execute ping <FortiSwitch_IP_address> command. If you want to use the FortiSwitch serial number instead of the FortiSwitch IP address, use the following commands:
config switch-controller global
set sn-dns-resolution enable
end
NOTE:The set sn-dns-resolution enable configuration is enabled by default.
Then you can use the execute ping <FortiSwitch_serial_ number>.<domain_name> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:
FG100D3G15817028 (root) # execute ping S524DF4K15000024.fsw
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms
Optionally, you can omit the domain name (.fsw) from the command by setting the default DNS domain on the FortiGate unit.
config system dns
set domain "fsw"
end
Now you can use the execute ping <FortiSwitch_serial_number> command to check if the FortiSwitch unit is accessible from the FortiGate unit. For example:
FG100D3G15817028 (root) # execute ping S524DF4K15000024
PING S524DF4K15000024.fsw (123.456.7.8): 56 data bytes
64 bytes from 123.456.7.8: icmp_seq=0 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=1 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=2 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=3 ttl=64 time=0.0 ms
64 bytes from 123.456.7.8: icmp_seq=4 ttl=64 time=0.0 ms
--- S524DF4K15000024.fsw ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
Changing the admin password on the FortiGate for all managed FortiSwitch units
By default, each FortiSwitch has an admin account without a password. To replace the admin passwords for all FortiSwitch units managed by a FortiGate, use the following commands from the FortiGate CLI:
config switch-controller switch-profile
edit default
set login-passwd-override {enable | disable}
set login-passwd <password>
next
end
If you had already applied a profile with the override enabled and the password set and then decide to remove the admin password, you need to apply a profile with the override enabled and no password set; otherwise, your previously set password will remain in the FortiSwitch. For example:
config switch-controller switch-profile
edit default
set login-passwd-override enable
unset login-passwd
next
end
Disabling the FortiSwitch console port login
Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, administrators can use the FortiSwitch profile to control whether users can log in with the managed FortiSwitchOS console port. By default, users can log in with the managed FortiSwitchOS console port.
To change the FortiSwitch profile:
config switch-controller switch-profile
edit {default | <FortiSwitch_profile_name>}
set login {enable | disable} enabled by default
end
To disable logging in to the managed FortiSwitch consort port in the default FortiSwitch profile:
config switch-controller switch-profile
edit default
set login disable
end
To change which FortiSwitch profile is used by a managed switch
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set switch-profile {default | <FortiSwitch_profile_name>}
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
set switch-profile new_switch_profile
end
Using automatic network detection and configuration
There are three commands that let you use automatic network detection and configuration.
To specify which policies can override the defaults for a specific ISL, ICl, or FortiLink interface:
config switch-controller auto-config custom
edit <automatically configured FortiLink, ISL, or ICL interface name>
config switch-binding
edit "switch serial number"
set policy "custom automatic-configuation policy"
end
To specify policies that are applied automatically for all ISL, ICL, and FortiLink interfaces:
config switch-controller auto-config default
set fgt-policy <default FortiLink automatic-configuration policy>
set isl-policy <default ISL automatic-configuration policy>
set icl-policy <default ICL automatic-configuration policy>
end
NOTE: The ICL automatic-configuration policy requires FortiOS 6.2.0 or later.
To specify policy definitions that define the behavior on automatically configured interfaces:
config switch-controller auto-config policy
edit <policy_name>
set qos-policy <automatic-configuration QoS policy>
set storm-control-policy <automatic-configuation storm-control policy>
set poe-status {enable | disable}
set igmp-snooping-flood-reports {enable | disable}
set mcast-snooping-flood-traffic {enable | disable}
end
Limiting the number of parallel processes for FortiSwitch configuration
Use the following CLI commands to reduce the number of parallel processes that the switch controller uses for configuring FortiSwitch units:
config global
config switch-controller system
set parallel-process-override enable
set parallel-process <1-300>
end
end
Configuring access to management and internal interfaces
The set allowaccess command configures access to all interfaces on a FortiSwitch unit. If you need to have different access to the FortiSwitch management interface and the FortiSwitch internal interface, you can set up a local-access security policy with the following commands:
config switch-controller security-policy local-access
edit <policy_name>
set mgmt-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
set internal-allowaccess {https | ping | ssh | snmp | http | telnet | radius-acct}
end
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set access-profile <name_of_policy>
end
For example:
config switch-controller security-policy local-access
edit policy1
set mgmt-allowaccess https ping ssh radius-acct
set internal-allowaccess https ssh snmp telnet
end
config switch-controller managed-switch
edit S524DF4K15000024
set access-profile policy1
end
NOTE: After you upgrade to FortiOS 6.2, the allowaccess settings for the FortiSwitch mgmt and internal interfaces are overridden by the default local-access security policy.
set min-bundle <int>
set max-bundle <int>
set members <port1 port2 ...>
next
end
end
end
Enabling FortiLink VLAN optimization
When inter-switch links (ISLs) are automatically formed on trunks, the switch controller allows VLANs 1-4093 on ISL ports. This configuration can increase data processing on the FortiSwitch unit. When VLAN optimization is enabled, the FortiSwitch unit allows only user-defined VLANs on the automatically generated trunks.
NOTE: VLAN optimization is enabled by default.
To enable FortiLink VLAN optimization on FortiSwitch units from the FortiGate unit:
config switch-controller global
set vlan-optimization enable
end
NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.
Configuring the MAC sync interval
Use the following commands to configure the global MAC synch interval.
The MAC sync interval is the time interval between MAC synchronizations. The range is 30 to 600 seconds, and the default value is 60.
config switch-controller mac-sync-settings
set mac-sync-interval <30-600>
end
Configuring the FortiSwitch management port
If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.
Using the FortiGate GUI
- Go to Network > Static Routes > Create New > Route.
- Set Destination to Subnet and enter a subnetwork and mask.
- Set Device to the management interface.
- Add a Gateway IP address.
Using the FortiSwitch CLI
Enter the following commands:
config router static
edit 1
set device mgmt
set gateway <router IP address>
set dst <router subnet> <subnet mask>
end
end
In the following example, the FortiSwitch management port is connected to a router with IP address 192.168.0.10:
config router static
edit 1
set device mgmt
set gateway 192.168.0.10
set dst 192.168.0.0 255.255.0.0
end
end
If provisioned with custom commands on the FortiGate device, the configuration is preserved on the FortiGate device. See Executing custom FortiSwitch scripts.
Multiple FortiLink interfaces
If you are adding a second FortiLink interface, use the CLI to enable FortiLink. For example:
config system interface
edit "fortilink_2"
set fortilink enable
next
end
After that, the interface is available in the GUI to complete the settings. Click Create to add additional FortiLink interfaces.
Grouping FortiSwitch units
You can simplify the configuration and management of complex topologies by creating FortiSwitch groups. A group can include one or more FortiSwitch units and you can include different models in a group.
Using the GUI:
- Go to WiFi & Switch Controller > Managed FortiSwitch.
- Select Create New > FortiSwitch Group.
- In the Name field, enter a name for the FortiSwitch group.
- In the Members field, click + to select which switches to include in the FortiSwitch group.
- In the Description field, enter a description of the FortiSwitch group.
- Select OK.
Using the CLI:
config switch-controller switch-group
edit <name>
set description <string>
set members <serial-number> <serial-number> ...
end
end
Grouping FortiSwitch units allows you to restart all of the switches in the group instead of individually. For example, you can use the following command to restart all of the FortiSwitch units in a group named my-sw-group:
execute switch-controller switch-action restart delay switch-group my-sw-group
Upgrading the firmware of FortiSwitch groups is easier, too, because fewer commands are needed. See the next section for the procedure.
Improving the FortiLink connection
Starting in FortiOS 7.4.0, there are two CLI commands under config switch-controller system that you can use to improve the FortiLink connection:
-
Use the
set caputp-echo-interval <8-600>command to set the interval for the Control and Provisioning of Unified Termination Points (CAPUTP) ECHO requests from the Scheduling Wide-area Transport Protocol (SWTP). The default value is 30 seconds. Setting the interval to a shorter time means that an offline device is detected quicker. -
Use the
set caputp-max-retransmit <0-64>command to set the maximum number of times that CAPUTP tunnel packets are retransmitted. The default value is 4. Setting the retransmission times to a lower number causes the CAPUTP daemon to time out sooner and then restart for faster failover.
FortiLink with HTTPS
Starting in FortiOS 7.4.2 with FortiSwitchOS 7.4.2, you can use FortiLink with HTTPS to manage FortiSwitch units. Using FortiLink with HTTPS simplifies the management process and improves the user experience and efficiency.
The FortiGate device supports using both the CAPWAP protocol and HTTPS at the same time. Each FortiSwitch unit supports using the CAPWAP protocol or HTTPS; you cannot use both protocols to manage the same FortiSwitch unit.
FortiLink with HTTPS uses the same technology as FortiLAN Cloud to operate over both layer 2 and layer 3.
When you are using FortiLink with HTTPS to manage FortiSwitch units, the same FortiLink features are supported as when you are using FortiLink with the CAPWAP protocol.
To use FortiLink with HTTPS:
-
On the FortiSwitch unit, enable the FortiLink HTTPS management mode (CAPWAP remains enabled):
config switch-controller global
set mgmt-mode https
end
-
On the FortiSwitch unit, set the FortiLAN Cloud service to FortiLink with HTTPS, enter the FortiLink IPv4 address, and enable the status.
config system flan-cloud
set service-type fortilink-https
set name <FortiLink_IPv4_addresss>
set status enable
end
-
On the FortiGate device, authorize the FortiSwitch unit if it has not already been authorized:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set fsw-wan1-admin enable
next
end
-
On the FortiGate device, check that the tunnel has been established to allow FortiLink with HTTPS:
execute switch-controller get-conn-status
For example:
FGT_A (vdom1) (Interim)# execute switch-controller get-conn-status Managed-devices in current vdom vdom1: FortiLink interface : port11 SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME SERIAL S524DN4K16000116 v7.4.0 (0796) Authorized/Up 2T 10.255.1.2 Mon Dec 18 15:41:34 2023 S524DN4K16000116 S248EPTF18001384 v7.4.1 (787) Authorized/Up 2 10.255.1.5 Mon Dec 18 15:41:43 2023 S248EPTF18001384 S248EPTF18001827 N/A Discovered/Down 2 N/A S248EPTF18001827 S124EN5918003682 N/A Discovered/Down 2 N/A S124EN5918003682 Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 2=L2, 3=L3, V=VXLAN, T=tunnel, X=External Managed-Switches: 4 (UP: 2 DOWN: 2 MAX: 72)
-
On the FortiSwitch unit, check that FortiLAN Cloud has established the FortiLink connection:
S224DF3X15000367 # get system flan-cloud-mgr connection-info
For example:
S524DN4K16000116 # get system flan-cloud-mgr connection-info Service Name: : FortiLink User Account-ID : 0 SSL verify Code : ok Access Service : IP= 10.255.1.1, Port= 443, Connected on: 2023-12-18 15:41:33 Bootstrap Service : hostname= , Port= 0 State-Machine : State= FLAN_MGR_STATE_READY, Event= EV_READY_SSL_SESSION_ESTD SSL Local End-Point : Interface: internal, IP: 10.255.1.2 SSL Tunnel Uptime : Days: 0 Hours: 0 Mins: 2 [Connected @2023-12-18 15:41:33] SSL Tunnel stats : restart-count= 279, Restart Reason= Boot-Strap fails to setup SSL to Cloud Stats: ======== Switch Keep Alive Tx/Reply := 3 / 1 Manager Keep Alive Rx/Error := 2 / 0 Socks Req Rx/Last Stream-ID := 1193 / 5 Reset Req Rx/last Stream-ID := 137 / 276 Goaway Req Rx := 0 Unknown Req Rx := 0 Syslog FD/Tx/Err := 10 / 62 / 0 FortiLink details ======================= stream_id : 5 online state_id : 7 localSock fd : 11 stpTelSock fd : 12 dhcpTelSock fd : 13 igmpsTelSock fd : 14 macSock fd : 15 cmfSock fd : 16 FortiGate - no response counter : 0 FortiGate - [Last no response time @1969-12-31 16:00:00] online TX counter : 6 online RX_ACK counter : 6 online RX_NACK counter : 0 topology req : 8 topology resp : 4 system telemetry req : 8 system telemetry resp : 3 interface telemetry req : 2 interface telemetry resp : 2 mac telemetry req : 0 mac telemetry resp : 0 dot1x user req : 0 dot1x user resp : 0 lldp nbr req : 0 lldp nbr resp : 0 mac cache req : 0 mac cache resp : 0 trunk state req : 21 trunk state resp : 7 port state req : 4 port state resp : 2 poe status req : 0 poe status resp : 0 Used SOCKS stream-id: ======================= SID SockFd Proxy-Ports State Description ___________________________________________________________________ 1 0 UNKNOWN:0<-->0 DATA BOOTSTRAP 3 0 UDP:9514<-->0 DATA SYSLOG DATA 5 0 UNKNOWN:0<-->0 DATA FORTILINK
To log in from the FortiGate device to a switch managed by FortiLink with HTTPS:
execute switch-controller ssh <FortiSwitch_user_name> <FortiSwitch_serial_number>
For example:
execute switch-controller ssh admin S524DF4K15000024