By Manny Fernandez

January 28, 2019

Fortilink over TCP

If you are not familiar with FortiLink, you should get familiar with it. Fortilink allows you to manage FortiSwitches via the FortiGate GUI. This is great for remote offices and even access layers switches. Fortinet partners with the likes of Arista for larger “core” implementations. Please Note: Fortinet has partnerships with many of the switch manufactueres out there such as Cisco, Arista, and Brocade.

You can connect the switches directly to the Fortigate and manage them via a Layer2 connection, but sometime, this is impossible since Fortigates may be off site. We had a customer that had regional offices connected via MPLS to multiple remote regional offices within that region and the egress was a Fortigate. They managed the remote offices that connected to the regional office via Fortilink over TCP.

Lets get started.

NETWORK DIAGRAM

I labbed this up in my house and here is what I had:

Nothing complicated for sure, just wanted to create a proof of concept.

Here is the configuration. This can be done either with DHCP or Static IPs. I only tested it with static, but I will update this post once I have validation that the DHCP works.

ON THE FORTIGATE

On the Fortigate, you will need to assign and IP address to the interface that will act as the Fortilink. In my PoC, I used port3 and 192.168.0.199/24 as the IP address and mask. Then you will need to ensure that ‘Dedicated to FortiSwitch’ is selected. It will disable most of the features you are acustomed to seeing.

NOTE: Ensure that the Foritigate has routes (Either static or dynamic) to where the FortiSwitches are going to live.

Once this is configuredd on the Fortigate, you will not need to go back into it for a bit. Lets now move to the switch.

ON THE FORTISWITCH

On the FortiSwitch, you will need to either connect to the Management port (if applicable) or via the console. Either way, you will need to tell the switch that it is going to be in Foritilink mode.

NOTE: Remember that the FortiSwitches use 115200 as the baud rate

 

config system global
set switch-mgmt-mode fortilink
end

This will reboot the FortiSwitch

When the FortiSwitch reboots, log in again ‘admin’ no password, and then add the following:

config system interface


edit "internal"
set mode static
set ip 192.168.169.10 255.255.255.0
set allowaccess ping https http ssh telnet
next 
end

NOTE: Once this FortiSwitch is on the Fortigate, please set a password for the admin account on the switch

The ‘internal’ is the equivelent of VLAN 1 on a Cisco switch. All ports are part of ‘internal’ except for the ‘Management’ port, if your device has one.

Now you will need to make sure that the switch knows how to get back to the Fortigate

config router static 
edit 1
set device "internal"
set dst 0.0.0.0 0.0.0.0
set gateway 192.168.169.1
next
end

Next you will need set the NTP to point to the Fortigate

config system ntp
set allow-unsync-source enable 
config ntpserver
edit 1
set server "192.168.0.199"
next
end
set ntpsync enable
end

Now you are going to tell the switch, where the controller is located:

config switch-controller global
set ac-discovery-type static 
config ac-list
edit 1
set ipv4-address 192.168.0.199
next 
end
end

Now finally, you are going to dedicate one of the ports to Fortilink

config switch interface
edit "port24"
set native-vlan 4094
set fortilink-l3-mode enable
end

Now we are going to go back to the Fortigate

Once you are connected to the Fortigate GUI, go to ‘WiFI & Switch Controller’ and then ‘Managed FortiSwitch

You should see the ‘Authorize’ button and the switch in the background grayed out.

Once you click the ‘Authorize’, give it a little time and you should see the following:

For the DHCP configuration, you can use the following from a Cisco router that I played with:

ip dhcp excluded-address 192.168.169.1 192.168.169.10
!
ip dhcp pool FSwitch
network 192.168.169.0 255.255.255.0
default-router 192.168.169.1 
option 138 ip 192.168.0.199 
option 42 ip 192.168.0.199 
dns-server 4.2.2.2 8.8.8.8 
option 43 ascii FortiSwitch
!

 

Hope this helps.

One reply on “Fortilink over TCP”

  1. Hello, i read your blog from time to time and i own a similar one and i was just wondering if you get a lot of spam comments? If so how do you stop it, any plugin or anything you can suggest? I get so much lately it’s driving me crazy so any assistance is very much appreciated.

Comments are closed.

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Executive Summary A FortiGate is only as flexible as... Full Story

  • 1. Title & Executive Summary Objective: This guide explains... Full Story

  • 1. Title and Executive Summary Title: Power over Ethernet Standards... Full Story