Managing A FortiSwitch Unit With A FortiGate
Managing A FortiSwitch Unit With A FortiGate
Managing A FortiSwitch Unit With A FortiGate
Administration Guide
Technical Documentation
docs.fortinet.com
Knowledge Base
kb.fortinet.com
support.fortinet.com
Training Services
training.fortinet.com
FortiGuard
fortiguard.com
Document Feedback
Table of Contents
Change Log....................................................................................................... 4
Introduction....................................................................................................... 5
Supported Models ................................................................................................... 5
FortiSwitch Models ............................................................................................ 5
FortiGate Models ............................................................................................... 5
Before You Begin..................................................................................................... 5
How this Guide is Organized ................................................................................... 5
Set-up ................................................................................................................ 6
Connecting the FortiSwitch and FortiGate units......................................................
Changing the FortiSwitch units management mode ........................................
Enabling the FortiGates Switch Controller........................................................
Authorizing the FortiSwitch unit as a managed switch......................................
6
6
6
7
Scenarios ........................................................................................................ 12
The Example Network............................................................................................ 12
Scenario 1: Allowing access to specific users on the marketing VLAN ................ 13
Using the web-based manager........................................................................ 14
Using the CLI ................................................................................................... 15
Scenario 2: Adding a specific device to the marketing VLAN ............................... 16
Using the web-based manager........................................................................ 17
Using the CLI ................................................................................................... 18
Scenario 3: Accessing the marketing VLAN remotely using an SSL VPN............. 19
Using the web-based manager........................................................................ 19
Using the CLI ................................................................................................... 21
Scenario 4: Configuring the accounting VLAN using an SFP port ........................ 22
Using the web-based manager........................................................................ 23
Using the CLI ................................................................................................... 24
Scenario 5: Connecting a VoIP phone to the FortiSwitch ..................................... 25
Using the web-based manager........................................................................ 26
Using the CLI ................................................................................................... 27
Scenario 6: Connecting a FortiAP unit to the FortiSwitch ..................................... 28
Using the web-based manager........................................................................ 29
Using the CLI ................................................................................................... 30
Page 3
Change Log
Date
Change Description
Sept. 14, 2014 Removed models FS-1024D and FS-1048D, added note about HA mode.
Apr. 30, 2014
Page 4
Introduction
Welcome and thank you for selecting Fortinet products for your network configuration and
protection. This document is intended to provide an understanding of how to manage a
FortiSwitch unit with a FortiGate unit, also known using a FortiSwitch unit in Fortilink mode.
Supported Models
FortiSwitch Models
This guide was written for FortiSwitch units running FortiSwitchOS 2.0.3.
The following models are currently supported:
FortiSwitch-28C, FortiSwitch-324B-POE, FortiSwitch-348B, amd FortiSwitch-448B.
FortiGate Models
This document was written for FortiGate units running FortiOS 5.0.5.
Only FortiGate models that have the Switch Controller feature can be used to manage a
FortiSwitch unit. This feature is available on the following FortiGate units:
FortiGate-100D, FortiGate-140D, FortiGate 200D, FortiGate 240D, FortiGate-600C,
FortiGate-800C, and FortiGate-1000C.
A FortiGate unit that is operating in HA mode cannot manage a FortiSwitch.
Page 5
Introduction
Page 6
Set-up
This chapter contains information on some initial information and set-up that is required to
manage a FortiSwitch unit with a FortiGate unit.
Connecting the FortiSwitch and FortiGate units
Creating Virtual Local Area Networks (VLANs)
Page 6
Set-up
Page 7
can be increased for the accounting department without also increasing it for the marketing
department.
Now that your FortiSwitch unit is managed by your FortiGate unit, a VLAN can be configured on
the FortiSwitch, using the FortiGate.
The following instructions will create a VLAN to be used by the marketing team for network and
Internet access. The PCs used by the marketing team will connect to ports 3-6 on the
FortiSwitch unit.
Setting up a VLAN requires:
Creating the VLAN.
Assigning ports on the FortiSwitch unit to the VLAN.
marketing
Color
IP/Network Mask
172.20.120.10/255.255.255.0
Set-up
Page 8
Set-up
Page 9
Firewall
Policy Subtype
Address
Incoming Interface
marketing
Source Address
all
Outgoing Interface
wan1
always
Service
ALL
Action
ACCEPT
Enable NAT
Enable
Logging Options
2. Select OK.
With this security policy in place, all computers connected to the marketing VLAN can now
access the Internet.
Set-up
Page 10
Set-up
Page 11
Scenarios
This chapter contains practical examples of how to use the FortiSwitch unit to manage a
network. The scenarios are as follows:
Scenario 1: Allowing access to specific users on the marketing VLAN
Scenario 2: Adding a specific device to the marketing VLAN
Scenario 3: Accessing the marketing VLAN remotely using an SSL VPN
Scenario 4: Configuring the accounting VLAN using an SFP port
Scenario 5: Connecting a VoIP phone to the FortiSwitch
Scenario 6: Connecting a FortiAP unit to the FortiSwitch
IP
Device(s)
marketing
2, 3
accounting
voip
10
There are six devices that connect directly to the FortiSwitch units ports using Ethernet
cables: the 3 marketing PCs, the marketing laptop, the VoIP phone, and the FortiAP unit.
The accounting VLAN connects to the FortiSwitch using an SFP port.
There are three marketing employees (Jane Smith, Tom Brown, Bob Lee) who will use the
marketing VLAN using the marketing PCs.
The MAC address of the marketing laptop is 01:23:45:67:89:ab.
The IP range for the VoIP phone is 10.10.10.10-10.10.10.50.
The FortiAP unit is a FortiAP-11C, serial number FAP11C3X12000412.
Page 12
Scenarios
Page 13
blee
Password
password
part-time_schedule
3. Select OK.
The entry part-time schedule will now appear on the schedules list.
Configuring the Firewall Policy
1. Go to Policy > Policy > Policy and select the policy for the marketing VLAN. Select Edit.
2. Set Policy Subtype as User Identity.
3. Under Configure Authentication Rules, select Create New.
4. Change the following settings to set access for part-time employees:
Destination Address all
Scenarios
Group(s)
part-time
Schedule
part-time_schedule
Service
ALL
Page 14
Action
ACCEPT
Logging Options
5. Select OK.
6. Under Configure Authentication Rules, select Create New.
7. Change the following settings to set access for full-time employees:
Destination Address all
Group(s)
full-time
Schedule
always
Service
ALL
Action
ACCEPT
Logging Options
8. Select OK.
9. Select OK.
You have now finished creating a policy that matches scenario 1. This policy will apply to all
three users when they use any of the PCs that connect to the marketing VLAN.
Scenarios
Page 15
Scenarios
Page 16
3, 4, 5 or 6 on the FortiSwitch. Adding a new policy for the laptop will allow it to connect without
requiring user authentication and will also limit the scope of the devices access.
01:23:45:67:89:ab
IP
172.20.120.254
Action
Reserve IP
Address
Name
marketing_laptop
Type
Subnet
Subnet/IP Range
172.20.120.254
Interface
marketing
Scenarios
Page 17
Firewall
Policy Subtype
Address
Incoming Interface
marketing
Source Address
marketing_laptop
Outgoing Interface
wan1
always
Service
Action
ACCEPT
Enable NAT
Enabled
Logging Options
3. Select OK.
4. In the policy list, select the Seq.# column of the new policy and drag the policy above the
previous policy for the marketing VLAN. This will ensure that the laptop will be identified
through this policy.
You have now finished creating a policy that matches scenario 2. This policy will apply to
anyone who uses the laptop to connect to the marketing VLAN using an Ethernet cable.
Scenarios
Page 18
3. Create a firewall policy for the marketing VLAN that uses the reserve IP.
config firewall policy
edit 3
set srcintf marketing
set dstintf wan1
set srcaddr marketing_laptop
set dstaddr all
set action accept
set schedule always
set service HTTP HTTPS DNS
set logtraffic all
set nat enable
end
4. Place the new firewall policy at the top of the policy list.
config firewall policy
move 2 after 3
end
Scenarios
Page 19
marketing VLAN
Type
Subnet
Subnet/IP Range
172.20.120.14/255.255.255.0
Interface
marketing
2. Select OK.
Creating an SSL VPN Web Portal
1. Go to VPN > SSL > Portals and select Create New. Change the following settings:
Name
marketing-remote
Disable
IP Pools
SSLVPN_TUNNEL_ADDR1
Client Options
Auto Connect
Enable
Applications
2. Select Apply.
Creating a Firewall Policy
1. Go to Policy > Policy > Policy and select Create New.
2. Change the following settings:
Policy Type
VPN
Incoming Interface
wan1
Remote Address
all
Local Interface
marketing
Local Protected
Subnet
marketing VLAN
Scenarios
Group(s)
remote access
User(s)
tbrown
Page 20
Schedule
always
SSL-VPN Portal
marketing-remote
Logging Options
5. Select OK.
6. Select OK.
The FortiClient SSL VPN tunnel client will also need to be configured, in order for the Tom
Brown to connect to the SSL VPN tunnel.
You have now finished creating a policy that matches scenario 4. This policy will be used
whenever Tom Brown accesses the marketing VLAN remotely.
Scenarios
Page 21
In Scenario 4, a second VLAN will be created on the FortiSwitch, to be used for the accounting
department. This VLAN will connect to the FortiSwitch unit using a copper SFP receiver that has
been installed in the FortiSwitch. Due to the sensitive nature of information within the
accounting network, the firewall policy that controls traffic to this network uses the default
profile for all security features.
Scenarios
Page 22
accounting
Color
IP/Network Mask
172.20.120.15/255.255.255.0
2. Select OK.
3. Go to WiFi & Switch Controller > Managed Devices > Managed FortiSwitch and assign
FortiSwitch port 21 to accounting.
Firewall
Policy Subtype
Address
Incoming Interface
accounting
Source Address
all
Outgoing Interface
wan1
Scenarios
Schedule
always
Service
ALL
Action
ACCEPT
Page 23
Enable NAT
Enabled
Logging Options
2. Enable the following Security Profiles and set them to use the default profile: AntiVirus, Web
Filter, Application Control, IPS, Email Filter, DLP Sensor, and SSL/SSH Inspection.
3. Select OK.
You have now finished creating a policy that matches scenario 5. This policy will be used for all
traffic on the accounting VLAN.
Scenarios
Page 24
4. Create a firewall policy for the accounting VLAN that uses the default security profiles.
config firewall policy
edit 4
set srcintf accounting
set dstintf wan1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set logtraffic all
set nat enable
set av-profile default
set webfilter-profile default
set spamfilter-profile default
set dlp-sensor default
set ips-sensor default
set application-list default
set profile-protocol-options default
set deep-inspection-options default
end
Scenarios
Page 25
voip
Color
IP/Network Mask
172.20.120.16/255.255.255.0
2. Select OK.
3. Go to WiFi & Switch Controller > Managed Devices > Managed FortiSwitch and assign
FortiSwitch port10 to voip.
Address
Name
voip
Color
Type
IP Range
Subnet/IP Range
10.10.10.10-10.10.10.50
Interface
voip
2. Select OK.
Create a Firewall Policy
1. Go to Policy > Policy > Policy and select Create New. Change the following settings:
Scenarios
Policy Type
Firewall
Policy Subtype
Address
Page 26
Incoming Interface
voip
Source Address
voip_phone
Outgoing Interface
wan1
always
Service
SIP
Action
ACCEPT
Enable NAT
Enabled
Logging Options
Scenarios
Page 27
Scenarios
Page 28
access_point
Color
IP/Network Mask
172.20.120.17/255.255.255.0
DHCP Server
Enable
2. Select OK.
3. Go to WiFi & Switch Controller > Managed Devices > Managed FortiSwitch and assign
FortiSwitch port1 to access_point.
WLAN
Type
WiFi SSID
Traffic Mode
IP/Network Mask
172.20.120.17/255.255.255.0
DHCP Server
Enabled
SSID
wireless
Pre-shared Key
password
3. Select OK.
Create a Firewall Policy
1. Go to Policy > Policy > Policy and select Create New.
Scenarios
Page 29
Firewall
Policy Subtype
Address
Incoming Interface
access_point
Outgoing Interface
wan1
always
Service
Action
ACCEPT
Enable NAT
Enabled
Logging Options
3. Select OK.
4. Go to WiFi & Switch Controller > Managed Devices > Managed FortiAPs. The Status icon
now appears in green, showing that the FortiSwitch unit is online.
You have now finished creating a policy that matches scenario 7.
Scenarios
Page 30
Scenarios
Page 31