Configuring MAC filter on SSID

This guide provides instructions on simple configuration for enabling MAC filter on SSID. Consider the following for this feature:

• The MAC filter function is independent of the SSID security mode.
• To enable MAC filter on SSID, you must first configure the wireless controller address and wireless controller address group. This is covered in the CLI instructions below.

The following shows a simple network topology for this recipe:

To block a specific client from connecting to the SSID using MAC filter:

1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:

config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72 set policy deny

next

end

2. Create a wireless controller address group. Select the above address. Set the default policy to allow:

config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy allow

next

end

3. On the virtual access point, select the created address group:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”

next

end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied from connecting to SSID Fortinetpsk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, can connect.

To allow a specific client to connect to the SSID using MAC filter:

1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:

config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72

set policy deny

next

end

2. Create a wireless controller address group. Select the above address. Set the default policy to deny:

config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy deny

next

end

3. On the virtual access point, select the created address group:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”

next

end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID Fortinet-psk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, are denied from connecting.

Support for WPA3 on FAP

This feature is implemented on FortiOS 6.2.0 B0816 and FAP-S/W2 6.2.0 b0218. In October 2017, Mathy Vanhoef published a document that exposed a flaw in WPA2 networks known as Key Reinstallation Attack (KRACK). To avoid the attack, the Wi-Fi Alliance announced in January that WPA2 enhancements and a new WPA3 standard were coming in 2018.

The Wi-Fi Alliance defines three areas for improvement:

• Enhanced Open: The Wi-Fi Alliance proposes using Opportunistic Wireless Encryption (OWE) (RFC 8110)to improve security in such networks.
• WPA3 Personal: WPA3-Personal utilizes Simultaneous Authentication of Equals (SAE). l WPA3 Enterprise: WPA3-Enterprise contains a new 192-bit security level.

All three areas incorporate Protected Management Frames (PMF) as a prerequisite to protect management frame integrity.

Configuration

1. WPA3 OWE
   1. WPA3 OWE only: only Client which support WPA3 can connect with this SSID.

config wireless-controller vap

edit “80e_owe”

set ssid “80e_owe” set security owe set pmf enable set schedule “always”

next end

1. WPA3 OWE TRANSITION: Client connected with normal OPEN or OWE depends on its capability. If client can support WPA3, it will connect with owe standard. If client not support WPA3, it will connect with Open SSID.

config wireless-controller vap

edit “80e_open” set ssid “80e_open” set security open set owe-transition enable set owe-transition-ssid “wpa3_open” set schedule “always” next edit “wpa3_owe_tr” set ssid “wpa3_open” set broadcast-ssid disable set security owe set pmf enable set owe-transition enable set owe-transition-ssid “80e_open” set schedule “always” next

2. WPA3 SAE
3. WPA3 SAE: Client with WPA3 support can connect with the SSID.

config wireless-controller vap

edit “80e_sae” set ssid “80e_sae” set security wpa3-sae set pmf enable set schedule “always” set sae-password 12345678

next end

1. WPA3 SAE TRANSITION: There are two passwords in the SSID. Client will connect with WPA2 PSK if passphrase is used. Client will connect with WPA3 SAE if sae-password is used.

config wireless-controller vap

edit “80e_sae-tr” set ssid “80e_sae-transition” set security wpa3-sae-transition

set pmf optional set passphrase 11111111 set schedule “always” set sae-password 22222222

next end

3. WPA3 Enterprise: When select security as wpa3-enterprise, the auth type can choose either radius authentication or local user authentication.

config wireless-controller vap edit “80e_wpa3” set ssid “80e_wpa3” set security wpa3-enterprise

set pmf enable set auth radius

set radius-server “wifi-radius” set schedule “always” next

edit “80e_wpa3_user” set ssid “80e_wpa3_user” set security wpa3-enterprise

set pmf enable set auth usergroup set usergroup “usergroup” set schedule “always”

next end

Statistics

WiFi client monitor

The following shows a simple network topology when using FortiAPs with FortiGate:

To view connected WiFi clients on the FortiGate unit, go to Monitor> WiFi Client Monitor. The following columns display:

WiFi health monitor

The following shows a simple network topology when using FortiAPs with FortiGate:

The Monitor> WiFi Health Monitor page displays the following charts: l Active Clients: Currently active clients on each FortiAP

• AP Status: APs by status, sorted by those that have been up for over 24 hours, rebooted in the past 24 hours, and down/missing
• Channel Utilization: Allow users to view 10-20 most and least utilized channels for each AP radio and a third histogram view showing utilization counts
• Client Count: Shows client count overtime. Can view forthe past hour, day, or30 days.
• Login Failures: Time, SSID, hostname, and username forfailed login attempts. The widget also displays the AP name and group of FortiAP units with failed login attempts.
• Top Wireless Interference: Separate widgets for2.4 GHz and 5 GHz bands. This requires spectrum analysis to be enabled on the radios.

WiFi maps

WiFi maps allow you to place FortiAP units on a map, such as an office floor plan. This allows you to know where the FortiAPs are and get their operating statuses at a glance.

To configure WiFi maps on the FortiOS GUI:

1. Create a WiFi map:
   1. In FortiOS, go to WiFi & Switch Controller> WiFi Maps.
   2. Click the Add Map
   3. Specify the desired map name.
   4. Upload the image file.
   5. If desired, enable the Image grayscale
   6. Set the Image opacity.
2. Place the FortiAP units on the map:
   1. Unlock the map by clicking the lock icon in the top left corner.
   2. Click Unplaced AP(s) beside the lock icon. This displays a list of candidate APs.
   3. Drag and drop the candidate FortiAPs from the list to the map as desired.
   4. Once all desired FortiAPs have been placed on the map, lock the map.
3. Hover the cursor over a FortiAP icon to view the operating data per FortiAP unit.
4. To configure AP settings, click the FortiAP icon for that unit.
5. You can show numerical operating data on the FortiAP icons such as the client count, channel, operating TX power, and channel utilization using the options in the dropdown list above the map.

To configure WiFi maps using the FortiOS CLI:

You can only upload the WiFi map image file using the FortiOS CLI.

config wireless-controller region edit <MAP_NAME> set grayscale enable|disable set opacity 100 <0-100>

next

end

config wireless-controller wtp edit <FAP_SN> set region <MAP_NAME set region-x “0.419911” <0-1> set region-y “0.349466” <0-1>

next

end

Fortinet Security Fabric

The following shows a simple network topology when using FortiAP as part of the Security Fabric:

The Security Fabric > Settings page on the root FortiGate lists all FortiAP devices on the CSF root and leaf.

The Security Fabric > Physical Topology view on the root FortiGate shows the devices in the Security Fabric and the devices they are connected to.

Wireless security

Enabling rogue AP scan

The guide provides simple configuration instructions for enabling ap-scan on FortiAP. The steps include creating a WIDS profile and selecting the WIDS profile on the managed FortiAP.

To enable rogue AP scan on the FortiOS GUI:

1. Create a WIDS profile:
   1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
   2. Enable Enable Rogue AP Detection.
   3. Complete the configuration, then click OK.
2. Select the WIDS profile for the managed FortiAP:
   1. Go to WiFi & Switch Controller> FortiAP Profiles.
   2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
   3. Enable WIDS Profile. Select the profile created in step 1. Click OK.

To enable rogue AP scan using the FortiOS CLI:

1. Create a WIDS profile:

config wireless-controller wids-profile edit “example-wids-profile” set ap-scan enable

next

end

2. Select the WIDS profile for the managed FortiAP:

config wireless-controller wtp-profile edit “example-FAP-profile” config platform set type <FAP-model-number>

end

set handoff-sta-thresh 55 set ap-country US config radio-1 set band 802.11n

set wids-profile “example-wids-profile” set vap-all disable

end config radio-2 set band 802.11ac set vap-all disable

end

next

end

Enabling rogue AP suppression

The guide provides simple configuration instructions for suppressing rogue APs on FortiAP. The steps include creating a WIDS profile and suppressing rogue APs.

To enable rogue AP suppression on the FortiOS GUI:

1. Create a WIDS profile:
   1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
   2. For SensorMode, select Foreign and Home Channels.
   3. Enable Enable Rogue AP Detection.
   4. Complete the configuration, then click OK.
2. Select the WIDS profile for the managed FortiAP. The monitoring radio must be in Dedicated Monitor mode:
   1. Go to WiFi & Switch Controller> FortiAP Profiles.
   2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
   3. Select Dedicated Monitor on Radio 1 or Radio 2.
   4. Enable WIDS Profile. Select the profile created in step 1. Click OK.
3. Suppress FortiAP:
   1. Go to Monitor> Rogue AP Monitor.
   2. Right-click the desired SSID, then select Mark as Rogue.
   3. Right-click the SSID again, then select Suppress AP.

To enable rogue AP scan using the FortiOS CLI:

1. Create a WIDS profile:

config wireless-controller wids-profile edit “example-wids-profile” set sensor-mode both set ap-scan enable

next

end

2. Select the WIDS profile for the managed FortiAP:

config wireless-controller wtp-profile edit “example-FAP-profile” config platform set type <FAP-model-number>

end config radio-1 set mode monitor

set wids-profile “example-wids-profile”

end

next

end

3. Suppress FortiAP:

config wireless-controller ap-status edit 1 set bssid 90:6c:ac:da:a7:f1 set ssid “example-SSID” set status suppressed

next

end

Wireless Intrusion Detection System

The guide provides simple configuration instructions for enabling a Wireless Intrusion Detection System (WIDS) profile on FortiAP.

To enable a WIDS profile on the FortiOS GUI:

1. Create a WIDS profile:
   1. In FortiOS, go to WiFi & Switch Controller> WIDS Profiles. Click Create New.
   2. In the Name field, enter the desired name.
   3. Under Intrusion Detection Settings, enable all intrusion types as desired.
   4. Complete the configuration, then click OK.
2. Select the WIDS profile for the managed FortiAP:
   1. Go to WiFi & Switch Controller> FortiAP Profiles.
   2. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
   3. Enable WIDS Profile. Select the profile created in step 1. Click OK.

To enable a WIDS profile using the FortiOS CLI:

config wireless-controller wtp-profile edit “example-FAP-profile”

config platform set type <FAP-model-number>

end

set handoff-sta-thresh 55 set ap-country US config radio-1 set band 802.11n

set wids-profile “example-wids-profile” set vap-all disable

end config radio-2 set band 802.11ac

set wids-profile “example-wids-profile” set vap-all disable

end

next

end

UTM security profile groups on FortiAP-S

This guide provides instructions for simple configuration of security profile groups for FortiAP, including creating security profile groups and selecting profile groups for the SSID.

To configure UTM security profile groups on the FortiOS GUI:

1. Create a security profile group:
   1. Go to WiFi & Switch Controller> Security Profile Groups, then click Create New.
   2. Enter the desired interface name. Configure logging as desired.
   3. Enable Antivirus, Web Filter, Application, IPS, or Botnet, then select the desired profile.
2. Create a local bridge mode SSID and enable security profile groups:
   1. Go to WiFi & Switch Controller> SSID. Select SSID, then click Create New.
   2. Enter the desired interface name. For Traffic mode, select Bridge.
   3. In the SSID field, enter the desired SSID name. Configure security as desired.
   4. Enable Security Profile Group, then select the group created in step 1.
   5. Click OK.
3. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C: Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
   2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
   3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
   4. Click OK.

To configure UTM security profile groups using the FortiOS CLI:

1. Create a security profile group:

config wireless-controller utm-profile edit “wifi-UTM” set ips-sensor “default” set application-list “default” set antivirus-profile “default” set webfilter-profile “default” set scan-botnet-connections block

next

end

2. Create a local bridge mode SSID and enable security profile groups:

config wireless-controller vap edit “wifi-vap” set ssid “SSID-UTM” set passphrase 12345678 set local-bridging enable set schedule “always” set utm-profile “wifi-UTM”

next

end

3. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

1+1 fast failover between FortiGate WiFi controllers

The following shows a simple network topology for this recipe. The primary and secondary FortiGates should reach the FortiAP at the physical level:

The following takes place in the event of a failover:

1. The primary FortiGate syncs the wireless configuration to the secondary FortiGate.
2. If the primary FortiGate fails, the secondary FortiGate takes over management of the FortiAP. The client can still connect with the SSID from the FortiAP and pass traffic.
3. When the primary FortiGate is back online, it returns to managing the FortiAP.

In the CLI samples below, the primary FortiGate has an IP address of 10.43.1.80, while the secondary FortiGate has an IP address of 10.43.1.62.

To configure the primary FortiGate:

config wireless-controller inter-controller set inter-controller mode 1+1 set inter-controller key 123456 config inter-controller-peer edit 1 set peer-ip 10.43.1.62 set peer-priority secondary

next

end

To configure the secondary FortiGate:

config wireless-controller inter-controller set inter-controller mode 1+1 set inter-controller key 123456 set inter-controller-pri secondary config inter-controller-peer edit 1 set peer-ip 10.43.1.80

next

end

To run diagnose commands:

1. On the primary FortiGate, run the diag wireless-controller wlac -c ha The output should resemble the following:

WC fast failover info cfg iter: 1 (age=17995, size=220729, fp=0x5477e28) dhcpd_db iter: 123 (age=132, size=1163, fp=0x5435930) dhcpd_ipmac iter: 123 (age=132, size=2860, fp=0x587d848) mode: 1+1-ffo pri: primary

key csum: 0x9c99 max: 10 wait: 10 peer cnt: 1

FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)

2. On the secondary FortiGate, run the diag wireless-controller wlac -c ha The output should resemble the following: WC fast failover info mode: 1+1-ffo status: monitoring pri: secondary key csum: 0x9c99 max: 10 wait: 10 peer cnt: 1

FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)

CAPWAP Offloading (NP6 only)

Simple Network Topology

NP6 offloading over CAPWAP traffic is supported by all the FortiGate high-level models and most middle-level models.

NP6 offloading over CAPWAP configuration

1. NP6 session fast path requirements:

config system npu set capwap-offload enable end

2. Enable the capwap-offload option in system npu

config firewall policy edit 1

set auto-asic-offload enable

next end

3. NP6 offloading over CAPWAP traffic is supported:
   • only with traffic from Tunnel mode VAP. l dtls-policy is clear-text or ipsec-vpn in wireless-controller wtp-profile configuration.
   • Traffic is not offloaded when dtls-policy=dtls-enable l Traffic is not offloaded with fragment.

Verify the system session of NP6 offloading

• check the system session, when dtls-policy=clear-text to verify npu info: flag=0x81/0x89, offload=8/8

FG1K2D3I16800192 (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=21 expire=3591 tim

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper= reply-shaper= per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty npu f00

statistic(bytes/packets/allow_err): org=16761744/11708/1 reply=5 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=57->37/37->57

gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50452->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=00009a97 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00

npu info: flag=0x81/0x89, offload=8/8, ips_offload=0/0, epid=158

vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f total session 1

l check the system session, when dtls-policy=ipsec-vpn to verify npu info: flag=0x81/0x82, offload=8/8 FG1K2D3I16800192 (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=7 expire=3592 time

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper= reply-shaper= per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/wlc-004100_0 vlan_cos=0/ state=log may_dirty npu f00

statistic(bytes/packets/allow_err): org=92/2/1 reply=92/2/1 tupl tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=57->37/37->57

gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50575->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=0000a393 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00

npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=158

vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f

total session 1

Switch Controller

The Switch Controller function, also known as FortiLink, is used to remotely manage FortiSwitch unit. In the most common layer 2 scenario, the FortiGate that is acting as a switch controller is connected to distribution FortiSwitch units. The distribution FortiSwitch units are in the top tier of stacks of FortiSwitch units and connected downwards with Convergent or Access layer FortiSwitch units. To leverage CAPWAP and the Fortinet proprietary FortiLink protocol, data and control planes are established between the FortiGate and FortiSwitch units.

FortiLink allows administrators to create and manage different VLANs, and apply the full-fledged security functions of

FortiOS to them, such as 802.1X authentication and firewall policies. Most of the security control capabilities on the FortiGate are extended to the edge of the entire network, combining FortiGate, FortiSwitch, and FortiAP devices, and providing secure, seamless, and unified access control to users.

Standalone FortiGate as switch controller

In this example, one FortiSwitch is managed by a standalone FortiGate. The FortiGate uses an aggregate interface to operate as a switch controller. This configuration might be used in branch office. It might also be used before increasing the number of connected FortiSwitch units and evolving to a multi-tier structure.

Prerequisites:

• The FortiGate model supports an aggregate interface. l FortiSwitch units have been upgraded to latest released software version.
• Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP.

Change the FortiSwitch management mode to FortiLink:

Enter the following CLI commands on the FortiSwitch:

config system global set switch-mgmt-mode fortilink

end

This operation will cleanup all of the configuration and reboot the system!

Do you want to continue? (y/n)y

Backing up local mode config before entering FortiLink mode….

If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.

config switch interface

edit “port1” set auto-discovery-fortilink enable

…… next

end

Create an aggregate interface and designate it as Fortilink interface on the FortiGate:

Using the CLI:

config system interface edit “aggr1” set vdom “vdom1” set fortilink enable set type aggregate set member “port11” “port12”

next

end

Using the GUI:

1. Go to WiFi & Switch Controller> FortiLink Interface.
2. In Interface members, select an existing aggregate interface (if there is one) or select one or more physical ports to create an aggregate interface.
3. Configure other fields as necessary.
4. Click OK.

Discover and authorize the FortiSwitch:

Using the CLI:

config switch-controller managed-switch edit “FSWSerialNum” set fsw-wan1-admin enable

…… next

end

Check the CLI output for Connection: Connected to show that FortiLink is up:

execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized

Connection: Connected

Image Version: S248EP-v6.2.0-build143,190107 (Interim)

Remote Address: 2.2.2.2

Join Time: Fri Jan 11 15:22:32 2019

interface status duplex     speed fortilink stacking      poe status

port1 up full 1000Mbps no no Delivering Power port2 down N/A 0 no no Searching

…… Using the GUI:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click Authorize and wait for a few minutes for the connection to be established.

When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.

Extend the security perimeter to the edge of FortiSwitch:

1. Configure the VLAN arrangement.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
   2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

2. Configure FortiSwitch ports.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Ports.
   2. Select one or more FortiSwitch ports and assign them to the switch VLAN.
   3. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
3. Configure access authentication.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Security Policies.
   2. Configure the 1X security policies.
   3. Select Port-based or MAC-based mode and select Usergroups from the existing VDOM.
   4. Configure other fields as necessary.
   5. Go to WiFi & Switch Controller> FortiSwitch Ports.
   6. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.

Troubleshooting

Authorized FortiSwitch always offline

If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem.

execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface … OK aggr1 enabled

DHCP server … OK aggr1 enabled

NTP server … OK aggr1 enabled NTP server sync … OK synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.113.71 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.112.51 — reachable(0xff) S:2 T:66 selected server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.50 — reachable(0xff) S:2 T:66 server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec

HA mode … disabled

Fortilink

Status … SWITCH_AUTHORIZED_READY

Last keepalive … 1 seconds ago

CAPWAP

Remote Address: 2.2.2.2

Status … CONNECTED

Last keepalive … 26 seconds ago

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms

64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms

64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms

64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms

64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms

— 2.2.2.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms

Multiple FortiSwitches managed via hardware/software switch

This example provides a recommended configuration of FortiLink where multiple FortiSwitches are managed by a standalone FortiGate as switch controller via hardware or software switch interface; such as when you need multiple distribution FortiSwitches but lack supporting aggregate on FortiGate.

Prerequisites:

• The FortiGate model supports hardware or software switch interface. l FortiSwitch units have been upgraded to latest released software version.
• Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP.

Change the FortiSwitch management mode to FortiLink:

Enter the following CLI commands on the FortiSwitch:

config system global set switch-mgmt-mode fortilink

end

This operation will cleanup all of the configuration and reboot the system!

Do you want to continue? (y/n)y

Backing up local mode config before entering FortiLink mode….

If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.

config switch interface

edit “port1” set auto-discovery-fortilink enable

…… next

end

Create hardware or software switch interface and designate it as FortiLink interface on the FortiGate:

Create a hardware switch using the CLI:

config system virtual-switch edit “hardswitch1” set physical-switch “sw0” config port edit “port11” next edit “port12” next

end

next

end

Create a software switch using the CLI:

config system switch-interface edit “softswitch1” set vdom “vdom1” set member “port11” “port12”

next

end

Using the GUI:

1. Go to WiFi & Switch Controller> FortiLink Interface.
2. In Interface members, select an existing hardware/software switch interface (if there is one) or select one or more physical ports to create a hardware/software switch interface.
3. Configure other fields as necessary.
4. Click OK.

Discover and authorize the FortiSwitch:

Using the CLI:

config switch-controller managed-switch edit “FSWSerialNum” set fsw-wan1-admin enable

…… next

end

Check the CLI output for Connection: Connected to show that FortiLink is up:

execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized

Connection: Connected

Image Version: S248EP-v6.2.0-build143,190107 (Interim)

Remote Address: 2.2.2.2

Join Time: Fri Jan 11 15:22:32 2019

interface status duplex     speed fortilink stacking      poe status

port1 up full 1000Mbps no no Delivering Power port2 down N/A 0 no no Searching

…… Using the GUI:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click Authorize and wait for a few minutes for the connection to be established.

When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.

Extend the security perimeter to the edge of FortiSwitch:

1. Configure the VLAN arrangement.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
   2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

2. Configure FortiSwitch ports.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Ports.
   2. Select one or more FortiSwitch ports and assign them to the switch VLAN.
   3. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
3. Configure access authentication.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Security Policies.
   2. Configure the 1X security policies.
   3. Select Port-based or MAC-based mode and select Usergroups from the existing VDOM.
   4. Configure other fields as necessary.
   5. Go to WiFi & Switch Controller> FortiSwitch Ports.
   6. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.

Troubleshooting

Bind FortiLink on hardware switch interface

Fortinet recommends binding FortiLink on the hardware switch interface. Since the hardware switch interface can leverage hardware chips to forward traffic, it does not consume CPU capacity, unlike a software switch.

Authorized FortiSwitch always offline

If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem.

execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface … OK hardswitch1 enabled

DHCP server … OK hardswitch1 enabled

NTP server … OK hardswitch1 enabled NTP server sync … OK synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.113.71 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.112.51 — reachable(0xff) S:2 T:66 selected server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.50 — reachable(0xff) S:2 T:66 server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec

HA mode … disabled

Fortilink

Status … SWITCH_AUTHORIZED_READY

Last keepalive … 1 seconds ago

CAPWAP

Remote Address: 2.2.2.2

Status … CONNECTED

Last keepalive … 26 seconds ago

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms

64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms

64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms

64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms

64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms

— 2.2.2.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms

Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled

This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by a standalone FortiGate as switch controller via aggregate interface, where the FortiGate can provide redundant links to multiple distribution FortiSwitches.

Prerequisites:

• The FortiGate model supports an aggregate interface. l FortiSwitch units have been upgraded to latest released software version.
• Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP.

Change the FortiSwitch management mode to FortiLink:

Enter the following CLI commands on the FortiSwitch:

config system global set switch-mgmt-mode fortilink

end

This operation will cleanup all of the configuration and reboot the system!

Do you want to continue? (y/n)y

Backing up local mode config before entering FortiLink mode….

If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.

config switch interface

edit “port1” set auto-discovery-fortilink enable

…… next

end

Create an aggregate interface and designate it as Fortilink interface on the FortiGate:

Using the CLI:

config system interface edit “aggr1” set vdom “vdom1” set fortilink enable set type aggregate set member “port11” “port12” set fortilink-split-interface enable

next

end

Using the GUI:

1. Go to WiFi & Switch Controller> FortiLink Interface.
2. In Interface members, select one or more physical ports that are connected to different distribution FortiSwitches to create an aggregate interface.
3. Enable FortiLink split interface.
4. Configure other fields as necessary.
5. Click OK.

Discover and authorize the FortiSwitch:

Using the CLI:

config switch-controller managed-switch edit “FSWSerialNum” set fsw-wan1-admin enable

…… next

end

Check the CLI output for Connection: Connected to show that FortiLink is up:

execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized

Connection: Connected

Image Version: S248EP-v6.2.0-build143,190107 (Interim)

Remote Address: 2.2.2.2

Join Time: Fri Jan 11 15:22:32 2019

interface status duplex     speed fortilink stacking      poe status

port1 up full 1000Mbps no no Delivering Power port2 down N/A 0 no no Searching

…… Using the GUI:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click Authorize and wait for a few minutes for the connection to be established.

When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.

Extend the security perimeter to the edge of FortiSwitch:

1. Configure the VLAN arrangement.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
   2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

2. Configure FortiSwitch ports.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Ports.
   2. Select one or more FortiSwitch ports and assign them to the switch VLAN.
   3. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
3. Configure access authentication.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Security Policies.
   2. Configure the 1X security policies.
   3. Select Port-based or MAC-based mode and select Usergroups from the existing VDOM.
   4. Configure other fields as necessary.
   5. Go to WiFi & Switch Controller> FortiSwitch Ports.
   6. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.

Troubleshooting

Authorized FortiSwitch always offline

If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem.

execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface … OK aggr1 enabled

DHCP server … OK aggr1 enabled

NTP server … OK aggr1 enabled NTP server sync … OK synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.113.71 — reachable(0x80) S:2 T:128 no data

ipv4 server(ntp2.fortiguard.com) 208.91.112.51 — reachable(0xff) S:2 T:66 selected server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.50 — reachable(0xff) S:2 T:66 server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec

HA mode … disabled

Fortilink

Status … SWITCH_AUTHORIZED_READY

Last keepalive … 1 seconds ago

CAPWAP

Remote Address: 2.2.2.2

Status … CONNECTED

Last keepalive … 26 seconds ago

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms

64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms

64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms

64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms

64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms

— 2.2.2.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms

Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only on distribution

This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by a standalone FortiGate as switch controller via aggregate interface, where the FortiGate can provide active-active links to two distribution FortiSwitches connected to each other by MCLAG.

Prerequisites:

• The FortiGate model supports an aggregate interface. l FortiSwitch units have been upgraded to latest released software version.
• Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP.
• For the FortiSwitch D series, the models above 4 just support MCLAG. For the FortiSwitch E series, the models above 2 just support MCLAG.

Change the FortiSwitch management mode to FortiLink:

Enter the following CLI commands on the FortiSwitch:

config system global set switch-mgmt-mode fortilink

end

This operation will cleanup all of the configuration and reboot the system!

Do you want to continue? (y/n)y

Backing up local mode config before entering FortiLink mode….

If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.

config switch interface

edit “port1” set auto-discovery-fortilink enable ……

next

end

Create an aggregate interface and designate it as Fortilink interface on the FortiGate:

Using the CLI:

config system interface edit “aggr1” set vdom “vdom1” set fortilink enable set type aggregate set member “port11” “port12” set fortilink-split-interface disable

next

end fortilink-split-interface must be disabled for MCLAG to work.

Using the GUI:

1. Go to WiFi & Switch Controller> FortiLink Interface.
2. In Interface members, select one or more physical ports that are connected to different distribution FortiSwitches to create an aggregate interface.
3. Disable FortiLink split interface.
4. Configure other fields as necessary.
5. Click OK.

Discover and authorize the FortiSwitch:

Using the CLI:

config switch-controller managed-switch edit “FSWSerialNum” set fsw-wan1-admin enable

…… next

end

Check the CLI output for Connection: Connected to show that FortiLink is up:

execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized

Connection: Connected

Image Version: S248EP-v6.2.0-build143,190107 (Interim)

Remote Address: 2.2.2.2

Join Time: Fri Jan 11 15:22:32 2019

interface status duplex     speed fortilink stacking      poe status

port1 up full 1000Mbps no no Delivering Power port2 down N/A 0 no no Searching

…… Using the GUI:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click Authorize and wait for a few minutes for the connection to be established.

When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.

Enable MCLAG on the ICL link between the distribution FortiSwitch devices:

conf switch trunk edit “4DN4K15000008-0” set mclag-icl enable

next

end

When you enable mclag-icl, MCLAG on the FortiLink interface is enabled automatically and active-active backup links between the distribution FortiSwitches are established.

Extend the security perimeter to the edge of FortiSwitch:

1. Configure the VLAN arrangement.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
   2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

2. Configure FortiSwitch ports.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Ports.
   2. Select one or more FortiSwitch ports and assign them to the switch VLAN.
   3. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
3. Configure access authentication.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Security Policies.
   2. Configure the 1X security policies.
   3. Select Port-based or MAC-based mode and select Usergroups from the existing VDOM.
   4. Configure other fields as necessary.
   5. Go to WiFi & Switch Controller> FortiSwitch Ports.
   6. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.

Troubleshooting

Authorized FortiSwitch always offline

If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem.

execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface … OK aggr1 enabled

DHCP server … OK aggr1 enabled

NTP server … OK aggr1 enabled NTP server sync … OK synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.113.71 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.112.51 — reachable(0xff) S:2 T:66 selected server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.50 — reachable(0xff) S:2 T:66 server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec

HA mode … disabled

Fortilink

Status … SWITCH_AUTHORIZED_READY

Last keepalive … 1 seconds ago

CAPWAP

Remote Address: 2.2.2.2

Status … CONNECTED

Last keepalive … 26 seconds ago

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms

64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms

64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms

64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms

64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms

— 2.2.2.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms

Multiple FortiSwitches managed via hardware/software switch

This example provides a recommended configuration of FortiLink where multiple FortiSwitches are managed by an A-P mode HA cluster of FortiGates as switch controller via hardware or software switch interface. An example of common usage is when you need multiple distribution FortiSwitches but lack supporting aggregate on the FortiGate pairs.

Prerequisites:

• The FortiGate model supports hardware or software switch interface. l FortiSwitch units have been upgraded to latest released software version.
• Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP.

Change the FortiSwitch management mode to FortiLink:

Enter the following CLI commands on the FortiSwitch:

config system global set switch-mgmt-mode fortilink

end

This operation will cleanup all of the configuration and reboot the system!

Do you want to continue? (y/n)y

Backing up local mode config before entering FortiLink mode….

If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.

config switch interface

edit “port1” set auto-discovery-fortilink enable

…… next

end

Set up an A-P mode HA cluster:

See HA active-passive cluster setup on page 212.

Create hardware or software switch interface and designate it as FortiLink interface on the FortiGate:

Create a hardware switch using the CLI:

config system virtual-switch edit “hardswitch1” set physical-switch “sw0” config port edit “port11” next edit “port12” next

end

next

end

Create a software switch using the CLI:

config system switch-interface edit “softswitch1” set vdom “vdom1” set member “port11” “port12”

next

end

Using the GUI:

1. Go to WiFi & Switch Controller> FortiLink Interface.
2. In Interface members, select an existing hardware/software switch interface (if there is one) or select one or more physical ports to create a hardware/software switch interface.
3. Configure other fields as necessary.
4. Click OK.

Discover and authorize the FortiSwitch:

Using the CLI:

config switch-controller managed-switch edit “FSWSerialNum” set fsw-wan1-admin enable

…… next

end

Check the CLI output for Connection: Connected to show that FortiLink is up:

execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized

Connection: Connected

Image Version: S248EP-v6.2.0-build143,190107 (Interim)

Remote Address: 2.2.2.2

Join Time: Fri Jan 11 15:22:32 2019

interface status duplex     speed fortilink stacking      poe status

port1       up     full 1000Mbps       no       no Delivering Power

port2     down      N/A     0           no       no         Searching

…… Using the GUI:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click Authorize and wait for a few minutes for the connection to be established.

When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.

Extend the security perimeter to the edge of FortiSwitch:

1. Configure the VLAN arrangement.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
   2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

2. Configure FortiSwitch ports.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Ports.
   2. Select one or more FortiSwitch ports and assign them to the switch VLAN.
   3. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
3. Configure access authentication.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Security Policies.
   2. Configure the 1X security policies.
   3. Select Port-based or MAC-based mode and select Usergroups from the existing VDOM.
   4. Configure other fields as necessary.
   5. Go to WiFi & Switch Controller> FortiSwitch Ports.
   6. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.

Troubleshooting

Bind FortiLink on hardware switch interface

Fortinet recommends binding FortiLink on the hardware switch interface. Since the hardware switch interface can leverage hardware chips to forward traffic, it does not consume CPU capacity, unlike a software switch.

Authorized FortiSwitch always offline

If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem. execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface … OK hardswitch1 enabled

DHCP server … OK hardswitch1 enabled

NTP server … OK hardswitch1 enabled NTP server sync … OK synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 — reachable(0x80) S:2 T:128 no data

ipv4 server(ntp2.fortiguard.com) 208.91.113.71 — reachable(0x80) S:2 T:128 no data

ipv4 server(ntp2.fortiguard.com) 208.91.112.51 — reachable(0xff) S:2 T:66 selected server-version=4, stratum=2 reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.50 — reachable(0xff) S:2 T:66 server-version=4, stratum=2 reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec

HA mode … disabled

Fortilink

Status … SWITCH_AUTHORIZED_READY

Last keepalive … 1 seconds ago

CAPWAP

Remote Address: 2.2.2.2

Status … CONNECTED

Last keepalive … 26 seconds ago

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms

64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms

64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms

64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms

64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms

— 2.2.2.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms

HA sync fails

If HA sync fails, use the command below to diagnose and locate the cause.

# diagnose system ha checksum cluster

================== FG5H0E39179XXX9 ==================

is_manage_master()=1, is_root_master()=1 debugzone

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

checksum

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

================== FG5H0E391790XXX4 ==================

is_manage_master()=0, is_root_master()=0 debugzone

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

checksum

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled

This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by an A-P mode HA cluster of FortiGates as switch controller via aggregate interface, where each FortiGate cluster member can provide redundant links to multiple (>=2) distribution FortiSwitches.

Prerequisites:

• The FortiGate model supports an aggregate interface. l FortiSwitch units have been upgraded to latest released software version.
• Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP.

Change the FortiSwitch management mode to FortiLink:

Enter the following CLI commands on the FortiSwitch:

config system global set switch-mgmt-mode fortilink

end

This operation will cleanup all of the configuration and reboot the system!

Do you want to continue? (y/n)y

Backing up local mode config before entering FortiLink mode….

If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.

config switch interface

edit “port1” set auto-discovery-fortilink enable

…… next

end

Set up an A-P mode HA cluster:

See HA active-passive cluster setup on page 212.

Create an aggregate interface and designate it as Fortilink interface on the FortiGate:

Using the CLI:

config system interface edit “aggr1” set vdom “vdom1” set fortilink enable set type aggregate set member “port11” “port12” set fortilink-split-interface enable

next

end

Using the GUI:

1. Go to WiFi & Switch Controller> FortiLink Interface.
2. In Interface members, select one or more physical ports that are connected to different distribution FortiSwitches to create an aggregate interface.
3. Enable FortiLink split interface.
4. Configure other fields as necessary.
5. Click OK.

Discover and authorize the FortiSwitch:

Using the CLI:

config switch-controller managed-switch edit “FSWSerialNum” set fsw-wan1-admin enable

…… next

end

Check the CLI output for Connection: Connected to show that FortiLink is up:

execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized

Connection: Connected

Image Version: S248EP-v6.2.0-build143,190107 (Interim)

Remote Address: 2.2.2.2

Join Time: Fri Jan 11 15:22:32 2019

interface status duplex     speed fortilink stacking      poe status

port1 up full 1000Mbps no no Delivering Power port2 down N/A 0 no no Searching

…… Using the GUI:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click Authorize and wait for a few minutes for the connection to be established.

When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.

Extend the security perimeter to the edge of FortiSwitch:

1. Configure the VLAN arrangement.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
   2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

2. Configure FortiSwitch ports.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Ports.
   2. Select one or more FortiSwitch ports and assign them to the switch VLAN.
   3. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
3. Configure access authentication.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Security Policies.
   2. Configure the 1X security policies.
   3. Select Port-based or MAC-based mode and select Usergroups from the existing VDOM.
   4. Configure other fields as necessary.
   5. Go to WiFi & Switch Controller> FortiSwitch Ports.
   6. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.

Troubleshooting

Authorized FortiSwitch always offline

If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem. execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface … OK aggr1 enabled

DHCP server … OK aggr1 enabled

NTP server … OK aggr1 enabled NTP server sync … OK synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 — reachable(0x80) S:2 T:128 no data ipv4 server(ntp2.fortiguard.com) 208.91.113.71 — reachable(0x80) S:2 T:128 no data

ipv4 server(ntp2.fortiguard.com) 208.91.112.51 — reachable(0xff) S:2 T:66 selected server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.50 — reachable(0xff) S:2 T:66 server-version=4, stratum=2

reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec

HA mode … disabled

Fortilink

Status … SWITCH_AUTHORIZED_READY

Last keepalive … 1 seconds ago

CAPWAP

Remote Address: 2.2.2.2

Status … CONNECTED

Last keepalive … 26 seconds ago

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms

64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms

64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms

64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms

64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms

— 2.2.2.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms

HA sync fails

If HA sync fails, use the command below to diagnose and locate the cause.

# diagnose system ha checksum cluster

================== FG5H0E39179XXX9 ==================

is_manage_master()=1, is_root_master()=1 debugzone

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

checksum

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

================== FG5H0E391790XXX4 ==================

is_manage_master()=0, is_root_master()=0 debugzone

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

checksum

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only on distribution

This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by an A-P mode HA cluster of FortiGates as switch controller via aggregate interface, where FortiGates provide active-active links to two distribution FortiSwitches connected to each other by MCLAG.

Prerequisites:

• The FortiGate model supports an aggregate interface. l FortiSwitch units have been upgraded to latest released software version.
• Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP.
• For the FortiSwitch D series, the models above 4 just support MCLAG. For the FortiSwitch E series, the models above 2 just support MCLAG.

Change the FortiSwitch management mode to FortiLink:

Enter the following CLI commands on the FortiSwitch:

config system global set switch-mgmt-mode fortilink

end

This operation will cleanup all of the configuration and reboot the system!

Do you want to continue? (y/n)y

Backing up local mode config before entering FortiLink mode….

If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.

config switch interface

edit “port1” set auto-discovery-fortilink enable ……

next

end

Set up an A-P mode HA cluster:

See HA active-passive cluster setup on page 212.

Create an aggregate interface and designate it as Fortilink interface on the FortiGate:

Using the CLI:

config system interface edit “aggr1” set vdom “vdom1” set fortilink enable set type aggregate set member “port11” “port12” set fortilink-split-interface disable

next

end fortilink-split-interface must be disabled for MCLAG to work.

Using the GUI:

1. Go to WiFi & Switch Controller> FortiLink Interface.
2. In Interface members, select one or more physical ports that are connected to different distribution FortiSwitches to create an aggregate interface.
3. Disable FortiLink split interface.
4. Configure other fields as necessary.
5. Click OK.

Discover and authorize the FortiSwitch:

Using the CLI:

config switch-controller managed-switch edit “FSWSerialNum” set fsw-wan1-admin enable

…… next

end

Check the CLI output for Connection: Connected to show that FortiLink is up:

execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized

Connection: Connected

Image Version: S248EP-v6.2.0-build143,190107 (Interim)

Remote Address: 2.2.2.2

Join Time: Fri Jan 11 15:22:32 2019

interface status duplex     speed fortilink stacking      poe status

port1       up     full 1000Mbps       no       no Delivering Power

port2     down      N/A     0           no       no         Searching

…… Using the GUI:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click Authorize and wait for a few minutes for the connection to be established.

When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.

Enable MCLAG on the ICL link between the distribution FortiSwitch devices:

conf switch trunk edit “4DN4K15000008-0” set mclag-icl enable

next

end

When you enable mclag-icl, MCLAG on the FortiLink interface is enabled automatically and active-active backup links between the distribution FortiSwitches are established.

Extend the security perimeter to the edge of FortiSwitch:

1. Configure the VLAN arrangement.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
   2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

2. Configure FortiSwitch ports.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Ports.
   2. Select one or more FortiSwitch ports and assign them to the switch VLAN.
   3. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
3. Configure access authentication.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Security Policies.
   2. Configure the 1X security policies.
   3. Select Port-based or MAC-based mode and select Usergroups from the existing VDOM.
   4. Configure other fields as necessary.
   5. Go to WiFi & Switch Controller> FortiSwitch Ports.
   6. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.

Troubleshooting

Authorized FortiSwitch always offline

If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem.

execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface … OK aggr1 enabled

DHCP server … OK aggr1 enabled

NTP server … OK aggr1 enabled NTP server sync … OK synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 — reachable(0x80) S:2 T:128 no data

ipv4 server(ntp2.fortiguard.com) 208.91.113.71 — reachable(0x80) S:2 T:128 no data

ipv4 server(ntp2.fortiguard.com) 208.91.112.51 — reachable(0xff) S:2 T:66 selected server-version=4, stratum=2 reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.50 — reachable(0xff) S:2 T:66 server-version=4, stratum=2 reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec

HA mode … disabled

Fortilink

Status … SWITCH_AUTHORIZED_READY

Last keepalive … 1 seconds ago

CAPWAP

Remote Address: 2.2.2.2

Status … CONNECTED

Last keepalive … 26 seconds ago

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms

64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms

64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms

64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms

64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms

— 2.2.2.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms

HA sync fails

If HA sync fails, use the command below to diagnose and locate the cause.

# diagnose system ha checksum cluster

================== FG5H0E39179XXX9 ==================

is_manage_master()=1, is_root_master()=1 debugzone

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

checksum

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

================== FG5H0E391790XXX4 ==================

is_manage_master()=0, is_root_master()=0 debugzone

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

checksum

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled on all tiers

This example provides a recommended configuration of FortiLink where multi-tier FortiSwitch devices are managed by an A-P mode HA cluster of FortiGates acting as a switch controller via an aggregate interface. The FortiGates provide AA links to two distribution FortiSwitches that are connected to each other by MCLAG. All access FortiSwitch devices have A-A links with two upper tier FortiSwitches, as long as the MCLAG-ICL has been enabled between the upper tiers.

Prerequisites:

• The FortiGate model supports an aggregate interface. l FortiSwitch units have been upgraded to latest released software version.
• Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize NTP. l For the FortiSwitch D series, the models above 4 just support MCLAG. For the FortiSwitch E series, the models above 2 just support MCLAG.

Change the FortiSwitch management mode to FortiLink:

Enter the following CLI commands on the FortiSwitch:

config system global set switch-mgmt-mode fortilink

end

This operation will cleanup all of the configuration and reboot the system!

Do you want to continue? (y/n)y

Backing up local mode config before entering FortiLink mode….

If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.

config switch interface

edit “port1” set auto-discovery-fortilink enable

…… next

end

Set up an A-P mode HA cluster:

See HA active-passive cluster setup on page 212.

Create an aggregate interface and designate it as Fortilink interface on the FortiGate:

Using the CLI:

config system interface edit “aggr1” set vdom “vdom1” set fortilink enable set type aggregate set member “port11” “port12”

set fortilink-split-interface disable

next

end fortilink-split-interface must be disabled for MCLAG to work.

Using the GUI:

1. Go to WiFi & Switch Controller> FortiLink Interface.
2. In Interface members, select one or more physical ports that are connected to different distribution FortiSwitches to create an aggregate interface.
3. Disable FortiLink split interface.
4. Configure other fields as necessary.
5. Click OK.

Discover and authorize the FortiSwitch:

Using the CLI:

config switch-controller managed-switch edit “FSWSerialNum” set fsw-wan1-admin enable

…… next

end

Check the CLI output for Connection: Connected to show that FortiLink is up:

execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized

Connection: Connected

Image Version: S248EP-v6.2.0-build143,190107 (Interim)

Remote Address: 2.2.2.2

Join Time: Fri Jan 11 15:22:32 2019

interface status duplex     speed fortilink stacking      poe status

port1 up full 1000Mbps no no Delivering Power port2 down N/A 0 no no Searching

…… Using the GUI:

1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click Authorize and wait for a few minutes for the connection to be established.

When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes to a solid line. The Connection status shows that FortiLink is up.

Enable MCLAG on the ICL link between the distribution FortiSwitch devices:

conf switch trunk edit “4DN4K15000008-0” set mclag-icl enable

next

end

When you enable mclag-icl, MCLAG on the FortiLink interface is enabled automatically and active-active backup links between the distribution FortiSwitches are established.

Extend the security perimeter to the edge of FortiSwitch:

1. Configure the VLAN arrangement.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
   2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

2. Configure FortiSwitch ports.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Ports.
   2. Select one or more FortiSwitch ports and assign them to the switch VLAN.
   3. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their real-time status such as link status, data statistics, etc.
3. Configure access authentication.
   1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch Security Policies.
   2. Configure the 1X security policies.
   3. Select Port-based or MAC-based mode and select Usergroups from the existing VDOM.
   4. Configure other fields as necessary.
   5. Go to WiFi & Switch Controller> FortiSwitch Ports.
   6. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the pane.

Troubleshooting

Authorized FortiSwitch always offline

If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the checkpoints. Inspect each checkpoint to find the cause of the problem. execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface … OK aggr1 enabled

DHCP server … OK aggr1 enabled

NTP server … OK aggr1 enabled NTP server sync … OK synchronized: yes, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp1.fortiguard.com) 208.91.113.70 — reachable(0x80) S:2 T:128 no data

ipv4 server(ntp2.fortiguard.com) 208.91.113.71 — reachable(0x80) S:2 T:128 no data

ipv4 server(ntp2.fortiguard.com) 208.91.112.51 — reachable(0xff) S:2 T:66 selected server-version=4, stratum=2 reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.320411 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 11495 msec

ipv4 server(ntp1.fortiguard.com) 208.91.112.50 — reachable(0xff) S:2 T:66 server-version=4, stratum=2 reference time is dfe3aec5.744404e6 — UTC Sat Jan 12 00:09:41 2019 clock offset is -0.448087 sec, root delay is 0.054535 sec root dispersion is 0.533081 sec, peer dispersion is 12542 msec

HA mode … disabled

Fortilink

Status … SWITCH_AUTHORIZED_READY

Last keepalive … 1 seconds ago

CAPWAP

Remote Address: 2.2.2.2

Status … CONNECTED

Last keepalive … 26 seconds ago

PING 2.2.2.2 (2.2.2.2): 56 data bytes

64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=1.1 ms

64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=13.9 ms

64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=12.7 ms

64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=2.9 ms

64 bytes from 2.2.2.2: icmp_seq=4 ttl=64 time=1.2 ms

— 2.2.2.2 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.1/6.3/13.9 ms

HA sync fails

If HA sync fails, use the command below to diagnose and locate the cause.

# diagnose sys ha checksum cluster

================== FG5H0E39179XXX9 ==================

is_manage_master()=1, is_root_master()=1 debugzone

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

checksum

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

================== FG5H0E391790XXX4 ==================

is_manage_master()=0, is_root_master()=0 debugzone

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

checksum

global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8 vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad

MAC-based 802.1X authentication

This example show how to configure MAC-based 802.1X authentication to managed FortiSwitch ports when using FortiLink. Managed FortiSwitch devices will authenticate and record the MAC addresses of user devices. If there is a hub after the FortiSwitch that connects multiple user devices, each device can access the network after passing authentication.

Prerequisites:

• The certificates and authentication protocol supported by the supplicant software and RADIUS server are compatible.
• The managed FortiSwitches using FortiLink act as authenticators.

Create a firewall policy to allow the RADIUS authentication related traffic from the Fortilink interface to the outbound interface on the FortiGate:

config firewall policy edit 0 set srcintf “fortilink-interface” set dstintf “outbound-interface-to-RadiusSVR”

set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “RADIUS” set nat enable

next

end

Designate a RADIUS server and create a user group:

Using the CLI:

config user radius edit “Radius1” set server “172.18.60.203” set secret ENC 1dddddd

next

end config user group edit “Radius-Grp1” set member “Radius1”

next

end

Using the GUI:

1. On the FortiGate, go to User& Device > RADIUS Servers.
2. Edit an existing server, or create a new one.
3. If necessary, add a Name for the server.
4. Set the IP/Name to 18.60.203 and Secret to 1dddddd .
5. Configure other fields as necessary.
6. Click OK.
7. Go to User& Device > UserGroups.
8. Create a new group, and add the RADIUS server to the Remote Groups
9. Click OK.

Use the new user group in a security policy:

Using the CLI:

config switch-controller security-policy 802-1X edit “802-1X-policy-default” set security-mode 802.1X-mac-based set user-group “Radius-Grp1” set mac-auth-bypass disable set open-auth disable set eap-passthru enable set guest-vlan disable set auth-fail-vlan disable set framevid-apply enable set radius-timeout-overwrite disable

next

end

Configure the guest VLAN, authentication fail VLAN, and other parameters as needed.

Using the GUI:

1. Go to WiFi & Switch Controller> FortiSwitch Security Policies 2. Use the default 802-1X-policy-default, or create a new security policy.
2. Use the RADIUS server group in the policy.
3. Set the Security mode to MAC-based.
4. Configure other fields as necessary.
5. Click OK.

Apply the security policy to the ports of the managed FortiSwitches:

Using the CLI:

config switch-controller managed-switch edit S248EPTF1800XXXX config ports edit “port6” set port-security-policy “802-1X-policy-default” next

end

next

end

On the FortiSwitch, check the configuration:

config switch interface edit “port6” set allowed-vlans 4093 set untagged-vlans 4093 set security-groups “Radius-Grp1”

set snmp-index 6 config port-security set auth-fail-vlan disable set eap-passthru enable set framevid-apply enable set guest-auth-delay 30 set guest-vlan disable set mac-auth-bypass disable set open-auth disable set port-security-mode 802.1X-mac-based set radius-timeout-overwrite disable set auth-fail-vlanid 200 set guest-vlanid 100

end

next

end

Using the GUI:

1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

Execute 802.1X authentication on a user device:

On Linux, run wpa_supplicant:

Client    MAC          Type    Vlan Dynamic-Vlan

00:0c:29:d4:4f:3c     802.1x      1      0            —–> User device of auth

passed can access the network. Its MAC address is recored, while other User Devices under same FSW ports still not allowed to access.

Sessions info:

00:0c:29:d4:4f:3c    Type=802.1x,MD5,state=AUTHENTICATED,etime=6,eap_cnt=3

params:reAuth=3600

Port-based 802.1X authentication

This example show how to configure Port-based 802.1X authentication to managed FortiSwitch ports when using FortiLink. Managed FortiSwitch devices will authenticate user devices per each FortiSwitch port. If there is a hub after the FortiSwitch that connects multiple user devices to the same port, they can all access the network after authentication, which is not recommended from a security perspective.

Prerequisites:

l The certificates and authentication protocol supported by the supplicant software and RADIUS server are compatible. l The managed FortiSwitches using FortiLink act as authenticators.

Create a firewall policy to allow the RADIUS authentication related traffic from the Fortilink interface to the outbound interface on the FortiGate:

config firewall policy edit 0 set srcintf “fortilink-interface” set dstintf “outbound-interface-to-RadiusSVR”

set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “RADIUS” set nat enable

next

end

Designate a RADIUS server and create a user group:

Using the CLI:

config user radius edit “Radius1”

set server “172.18.60.203” set secret ENC 1dddddd

next

end config user group edit “Radius-Grp1” set member “Radius1”

next

end

Using the GUI:

1. On the FortiGate, go to User& Device > RADIUS Servers.
2. Edit an existing server, or create a new one.
3. If necessary, add a Name for the server.
4. Set the IP/Name to 18.60.203 and Secret to 1dddddd .
5. Configure other fields as necessary.
6. Click OK.
7. Go to User& Device > UserGroups.
8. Create a new group, and add the RADIUS server to the Remote Groups
9. Click OK.

Use the new user group in a security policy:

Using the CLI:

config switch-controller security-policy 802-1X edit “802-1X-policy-default” set security-mode 802.1X set user-group “Radius-Grp1” set mac-auth-bypass disable set open-auth disable set eap-passthru enable set guest-vlan disable set auth-fail-vlan disable set framevid-apply enable set radius-timeout-overwrite disable

next

end

Configure the guest VLAN, authentication fail VLAN, and other parameters as needed.

Using the GUI:

1. Go to WiFi & Switch Controller> FortiSwitch Security Policies 2. Use the default 802-1X-policy-default, or create a new security policy.
2. Use the RADIUS server group in the policy.
3. Set the Security mode to Port-based.
4. Configure other fields as necessary.
5. Click OK.

Apply the security policy to the ports of the managed FortiSwitches:

Using the CLI:

config switch-controller managed-switch edit S248EPTF1800XXXX config ports edit “port6” set port-security-policy “802-1X-policy-default”

next

end

next

end

Using the GUI:

1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

Execute 802.1X authentication on a user device:

On Linux, run wpa_supplicant:

wpa_supplicant -c /etc/wpa_supplicant/local_supplicant.conf -D wired -i eth2 -dd On the FortiGate, view the status of the 802.1X authentication:

diagnose switch-controller switch-info 802.1X Managed Switch : S248EPTF18001384

port6 : Mode: port-based (mac-by-pass disable)

Link: Link up

Port State: authorized: ( )

Dynamic Authorized Vlan : 0

EAP pass-through mode : Enable

Native Vlan : 1

Allowed Vlan list: 1,4093 Untagged Vlan list: 4093 Guest VLAN :

Auth-Fail Vlan :

Sessions info:

00:0c:29:d4:4f:3c    Type=802.1x,MD5,state=AUTHENTICATED,etime=0,eap_cnt=6

params:reAuth=3600

MAC layer control – Sticky MAC and MAC Learning-limit

Persistent MAC learning, or Sticky MAC, is a port security feature that lets an interface retain dynamically learned MAC addresses when a switch is restarted, or an interface goes down and then is brought back online.

Enabling Sticky MAC along with MAC Learning-limit restricts the number of MAC addresses that are learned. This prevents layer 2 Denial of Service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation attacks by limiting the number of MAC addresses that are allowed while still allowing the interface to learn a specified number of MAC addresses. The interface is secured because, after the specified limit has been reached, additional devices cannot connect to the port. Interfaces can be allowed to learn the MAC address of trusted workstations and servers from the time that the interfaces are connected to the network, until the MAC address limit is reached.

Prerequisites

• Sticky MAC save is hardware and CPU intensive if there are too many entries.
• Dual chip device models (X48 and XX48 FortiSwitch models) do not support MAC Learning-limit on VLANs, but still support it on FortiSwitch ports.

Enable Sticky MAC on the FortiSwitch ports view:

config switch-controller managed-switch edit S248EPTF18001384 config ports edit port6 set sticky-mac enable

next

end

next

end

Check the MAC-table on the FortiSwitch to see that the status of related MAC items on the Sticky MAC enabled ports has changed from dynamic to static:

Before Sticky-MAC is enabled:

diagnose switch mac-address list

MAC: 08:5b:0e:06:6a:d4 VLAN: 1 Port: port1(port-id 1) Flags: 0x00030440 [ hit dynamic src-hit native move ]

After Sticky-MAC is enabled:

diagnose switch mac-address list

MAC: 00:0c:29:d4:4f:3c VLAN: 1 Port: port6(port-id 6) Flags: 0x00000020 [ static ]

Save Sticky-MAC items into the database and delete others:

Saving Sticky-MAC items from the running memory into the database, and deleting unsaved items, will ensure that, even after the FortiSwitch is rebooted, the trusted MAC addresses will be kept and will not need to be relearned.

execute switch-controller switch-action sticky-mac save all S248EPTF1800XXXX S248EPTF1800XXXX: Save started…

Warning: Please wait save will take longer time upto 30 seconds…

Collecting config data….Done

Collecting hardware data….Done

Saving….Done

Sticky MAC entries saved = 1 —————-> Number of saved Sticky MAC items is shown execute switch-controller switch-action sticky-mac delete-unsaved all S248EPTF1800XXXX

Configure the MAC Learning-limit under the VLAN or managed FortiSwitch ports view:

VLAN view:

config system interface edit vsw.aggr1 set switch-controller-learning-limit 10

next

end

Ports view:

config switch-controller managed-switch edit S248EPTF1800XXXX config ports edit port6 set learning-limit 11

next

end

next

end

Quarantine

When the FortiGate detects devices that have lower trust scores, lack mandatory installed software, or are sending out malicious traffic, an administrator can quarantine the device from the normal switch VLAN to the quarantine VLAN. This can limit the device’s access, or provide them specific information on the quarantine portal page.

To quarantine an active device:

Using the CLI, based on the device’s MAC address:

config user quarantine config targets edit “manual-qtn-1” set description “Manually quarantined” config macs edit 00:0c:29:d4:4f:3c

set description “manual-qtn ”

next

end

next

end

end

Using the GUI:

1. On the FortiGate, go to Security Fabric > Physical Topology, or Security Fabric > Logical Topology.
2. Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.
3. Click OK in the Quarantine Host page to quarantine the device.

The quarantined device is moved to the quarantine VLAN, and the configuration of the FortiSwitch port does not change.

The quarantined device gets its IP address from the DHCP server on the quarantine VLAN interface. The network locations that the device can access depends on the firewall policies that are configured for the quarantine VLAN interface. By default, the device must acknowledge and accept the information on the Quarantine Portal before it can access any part of the network.

Release or clear the quarantine targets:

Using the CLI:

config user quarantine config targets delete “manual-qtn-1” …

end

end

config user quarantine config targets purge

end

end

Using the GUI:

1. Go to Monitor> Quarantine Monitor.
2. Delete the quarantine targets as needed, or click Remove All to delete all the targets.

Flow and Device Detection

Data statistic

This example shows a FortiLink scenario where the FortiGate acts as the switch controller that collects the data statistics of managed FortiSwitch ports. This is counted by each FortiSwitch and concentrated in the controller.

Sample topology

To show data statistics using the GUI:

1. Go to WiFi & Switch Controller> FortiSwitch Ports.
2. Select Configure Table.
3. Select Bytes, Errors and Packets to make them visible.

The related data statistic of each managed FortiSwitch port is shown.

To show data statistics using the CLI:

diag switch-controller switch-info port-stats S248EPTF180XXXX

……

Port(port50) is Admin up, line protocol is down

Interface Type is Gigabit Media Independent Interface(GMII)

Address is 70:4C:A5:E0:F3:8D, loopback is not set

MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II

full-duplex, 1000 Mb/s, link type is manual

input : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes  0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns

output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes

0 unicasts, 0 multicasts, 0 broadcasts   0 fragments, 0 undersizes, 0 collisions, 0 jabbers

……

Security Fabric showing

This example shows one of the key components in the concept of Security Fabric: FortiSwitches in FortiLink. In the FortiGate GUI, you can see the whole picture of the Security Fabric working for your network security.

Sample topology

To show Security Fabric information:

1. Go to Security Fabric > Physical Topology.
2. To see the connection between FortiGates and managed FortiSwitches, hover the pointer over the icons to see information about each network element.

Configure multiple FortiAnalyzers on a multi-VDOM FortiGate

This topic shows a sample configuration of multiple FortiAnalyzers on a multi-VDOM FortiGate.

In this example:

• The FortiGate has three VDOMs: l Root (management VDOM) l VDOM1 l VDOM2 l There are four FortiAnalyzers.

These IP addresses are used as examples in the instructions below.

• FAZ1: 16.200.55 l FAZ2: 172.18.60.25 l FAZ3: 192.168.1.253 l FAZ4: 192.168.1.254
• Set up FAZ1 and FAZ2 under global.
• These two collect logs from the root VDOM and VDOM2.
• FAZ1 and FAZ2 must be accessible from management VDOM root. l Set up FAZ3 and FAZ4 under VDOM1. l These two collect logs from VDOM1. l FAZ3 and FAZ4 must be accessible from VDOM1.

To set up FAZ1 as global FortiAnalyzer 1 from the GUI:

Prerequisite: FAZ1 must be reachable from the management root VDOM.

1. Go to Global > Log & Report > Log Settings.
2. Enable Send logs to FortiAnalyzer/FortiManager.
3. Enter the FortiAnalyzer IP.

In this example: 172.16.200.55.

4. For Upload option, select Real Time.
5. Select Apply.

To set up FAZ2 as global FortiAnalyzer 2 from the CLI:

Prerequisite: FAZ2 must be reachable from the management root VDOM.

config log fortianalyzer2 setting set status enable set server “172.18.60.25” set upload-option realtime end

To set up FAZ3 and FAZ4 as VDOM1 FortiAnalyzer 1 and FortiAnalyzer 2:

Prerequisite: FAZ3 and FAZ4 must be reachable from VDOM1.

config log setting set faz-override enable

end

config log fortianalyzer override-setting set status enable set server “192.168.1.253” set upload-option realtime

end

config log fortianalyzer2 override-setting set status enable set server “192.168.1.254” set upload-option realtime

end

Diagnose command to check FortiAnalyzer connectivity

To use the diagnose command to check FortiAnalyzer connectivity:

1. Check global FortiAnalyzer status:

FGTA(global) # diagnose test application miglogd 1 faz: global , enabled server=172.16.200.55, realtime=3, ssl=1, state=connected, src=, mgmt_name=FGh_Log_ root_172.16.200.55, reliable=1 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago. Sn list:

queue: qlen=0.

filter: severity=6, sz_exclude_list=0 voip dns ssh ssl

subcategory:

traffic: forward local multicast sniffer anomaly: anomaly

server: global, id=0, fd=90, ready=1, ipv6=0, 172.16.200.55/514 oftp-state=5

faz2: global , enabled server=172.18.60.25, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_ root_172.18.60.25, reliable=0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago. Sn list:

queue: qlen=0.

filter: severity=6, sz_exclude_list=0 voip dns ssh ssl

subcategory:

traffic: forward local multicast sniffer

anomaly: anomaly

server: global, id=1, fd=95, ready=1, ipv6=0, 172.18.60.25/514 oftp-state=5

2. Check VDOM1 override FortiAnalyzer status:

FGTA(global) # diagnose test application miglogd 3101 faz: vdom, enabled, override server=192.168.1.253, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_ root_192.168.1.253, reliable=1 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago.

Sn list:

(FAZ-VM0000000001,age=17s) queue: qlen=0.

filter: severity=6, sz_exclude_list=0 voip dns ssh ssl

subcategory:

traffic: forward local multicast sniffer anomaly: anomaly

server: vdom, id=0, fd=72, ready=1, ipv6=0, 192.168.1.253/514 oftp-state=5

faz2: vdom, enabled, override server=192.168.1.254, realtime=1, ssl=1, state=connected, src=, mgmt_name=FGh_Log_ root_192.168.1.254, reliable=0 status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N SNs: last sn update:1369 seconds ago.

Sn list:

(FL-1KET318000008,age=17s) queue: qlen=0.

filter: severity=6, sz_exclude_list=0 voip dns ssh ssl

subcategory:

traffic: forward local multicast sniffer anomaly: anomaly

server: vdom, id=1, fd=97, ready=1, ipv6=0, 192.168.1.254/514 oftp-state=5

faz3: vdom, disabled, override