Manage FortiSwitch with FortiGate, FortiOS 7.0

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we will go over how to configure a 40 gate firewall to manage a 40 switch or multiple 40 switches now to start there's multiple different ways that you could decide to manage your 40 switches right you can do it the traditional method that we've all been used to in the past where you log into each switch and that would be a 40 switch standalone device you could also do it where the the switches can get managed by fortinet's cloud option it's it's called 40 lan cloud or in this case we're going to focus on how we can do it from the fortigate right so pretty much by just logging into the fortigate you reduce complexity by being able to access your switches right there instead of going into a different console right you gain more visibility as to what's happening on on your switch's network and then you can also leverage certain automation right so i'll put some suggested videos i'll keep updating them all right so with the configuration let's go to wi-fi and switch controller 40 link interface so we can see here by default there's an interface named 4d link and then under that interface there's supposed to be certain interface members so the interface members are going to be physical ports on the 48 firewall and then those those physical ports are going to be dedicated for 40 switches connecting to this fortigate for management right so we can see here that there are currently no interfaces that can be added as a member currently based on this 40 gates config so to address that let's go to network interfaces and then i'm just going to try and find some interfaces that i can you know break apart from maybe some existing configurations that i have so let's pull apart internal 6 and internal 7 from an existing hardware switch that's on the firewall there we see internal six internal seven both of these interfaces as you can see they have no references associated with them so they should be good for us to go back to uh wi-fi and switch controller and to use them as interface members for 40 link so in this case i'm going to start with just using internal seven maybe we can use internal six in a bit here okay let's save that config all right so we can also see here that there is you know a default ip address for this virtual interface the 40 link interface and then there's also a dhcp range that's going to be associated to 40 switches that that connect up to to this firewall all right now i'm going to connect a 40 switch up to the internal 7 port on the fortigate all right there we go i have it connected up but we still don't see any 40 switch connected it's just rebooting right now or it's just booting up so let's just give it another minute or so there we go just like that we see the 40 switch is connected now as the next step let's go to managed 40 switches right click it and then authorize that 40 switch that we've just connected says it'll take up from six to eight minutes all right after a few minutes we can see that the 40 switch is now online and one interesting item that we can do here is if we go to the far right and we change from list to topology view we can actually see what ports are connected from the fortigate to the 4d switch right so we can see that okay internal 7 on the 40g firewall is connected to port 24 on the 40 switch and you can hover right in between to the pretty much this logical link that got created and then that's where you can see you know both sides and also if we hover over the 40 switch and then we go to switch actions we have you know a lot of options here if we want to de-authorize delete the switch if we want to factory reset it if if you ever had to um and then also some diagnostics and tools right to see you know where we're at for for cpu memory resource usage on on the switch um you know you can do you know a bit of a cable test view some logs cli access so lots of good information there now let's go into you know because we do have the switch authorized that's really all that it takes and now we should be able to start configuring 40 switch ports okay and pretty quickly here we can see you know we can see all of the ports so it's a 24 port switch with i believe it's four i've got four sfp uh ports connected from port 25 to 28 but it is a 24 port switch um you know we can see that we can see the ports that are connected we can see um you know what features are enabled we can see the native vlans so you can think of this native vlan as the access vlan essentially right so when somebody connects up to for example port 1 on this physical 40 switch they're going to be associated with vlan 1 right and you know it's kind of cool here you can just kind of change that on the fly to any other vlans that are configured on the network you know we have poe information device information about what device might be connected to that port in this case i have an access point connected to it but we can also see information about various other devices from a troubleshooting perspective let's say if you know you needed to you know somebody had a certain issue and you're running a sniffer for example in the firewall can't see the traffic well you could say hey what you know what's your mac address find an end user's mac address put that in here and really quickly you can identify okay which physical port on the switch is um is that device connected to and then you know which vlan is is that device associated with right so maybe we can go over a bit of a start to finish example so um you know right now we're in in the the switch configuration but let's go back to you know the regular fortigate firewall configuration if we were to create a new interface let's just create a new interface under you know and then we're gonna associate it with the 40 link interface uh let's just call this you know production maybe this is our production interface um we'll go vlan id will be 100 and then let's create you know let's just create the ip address this is going to be the 40 gates ip address for vlan 100 and we'll have a dhcp server set up okay we're good to go so we've associated that with the 40 link interface so essentially we have a sub interface on the 48 firewall it's called this production vlan right that's really all that it takes now and now we can start immediately referencing it on on that 40 switch so if we go back to that section wi-fi and switch controller 40 switch ports all right and looking at port 6 here i have some devices connected to it this is all the devices that are actually in this esxi environment i have a windows machine there so let's you know let's change the native vlan from vlan 1 let's change it to that production vlan which kind of automatically shows up here we'll hit apply and just like that the device that's connected to port 6 is actually going to be you know when traffic flows through that device the the switch is going to tag that traffic with vlan id 100 that traffic then is you know it's it's going to be sent up the trunk link with this tagged um with the tag packet that goes up to this fortigate and then the next step is that it actually it actually hits this interface associated with the 40 link which is going to be production right so you know let's go over that quick example is i'm just going to enable ping here and then let's go over to that virtual machine all right now on to that vm we can see that uh it you know it received a dhcp address on the 192.168.111 network we can do a ping to 111.1 which is the default gateway which is the fortigate um and then you know if we try and access the internet it's not going to work we don't have a firewall policy set all right so on on the 48 i've already gone ahead and pre-configured a policy so you know the production vlan so vlan id 100 so any tagged traffic that hits the 48 on vlan id 100 we're going to send it out the wan interface so we've created that policy let's go back to the device and there we go now we have internet access all right so at this point you can probably you know maybe you can stop the video now if this is everything that you were looking for but we'll go over a couple more things you can check check the chapters below to pick and choose what you want to see but uh you know let's cover a few more items so one item that might come up is is redundancy with the links between the the fortigate and the 40 switch so you know up until now you know we've just been using this internal seven interface on the fortigate and we don't actually have anything that's um you know redundant from from a multiple link perspective between the 48 and the switch so if we select that other interface that we kind of made available to us in the very beginning of the video which is internal six on the fortigate if i add that then you know what i'll do is you know going back to our topology here i've got port 24 on the switch connected to internal 7 on the 40 gate let's connect port 23 to internal six on the fortigate okay so internal six on the fortigate is connected to port 23 on the 40 switch so you know even though those physical connections are have been made on on my end you know as i'm refreshing this 40 link interface page you know we can see that internal 6 is not is not lighting up as as green here right and the reason for that is because we have what's called this 40 link split interface enabled this is actually by design you can look it up more to see it's it's underlying purpose but essentially it's expected at the moment that even though there's a physical connection it's not actually showing the link as up between internal 6 and port 23 on the 40 switch and to show how this 40 link split interface works what i'll do is i'm going to unplug internal 7 from the ford gate and we can see immediately that internal six lights up and and that's the active link right so this is expected behavior but what we'll do is you know let's let's do a test here and let's actually we'll reconnect internal seven i'll do that now okay it's been reconnected same as before you know when i refresh it only internal six or the the existing active link is gonna is going to you know show as the link is up but so both both ports are now connected let's actually disable 4d link split interface and pretty quickly here we can see that both of these links are now active right and then if i go into the cli here i can type in diag netlink aggregate name 40 link because 4d link is the name of the logical interface we can see here that it actually established it actually established an lacp connection between the two right so now we've added that redundancy that we would be looking for initially and back to our manage 40 switch topology we can see that now 40 link which is internal 7 and internal 6 is connected to the 40 switch port 23 and port 24 and this is the the lacp link between the two and the topology is updated you might have to give the topology a few minutes before it actually updates it might show an older older value just temporarily there is a bit of you know gooey stuff that has to go on in the background to to show you that updated topology so just in general from a topology standpoint you know it's worth it to check the 40 switch managed topologies documentation that fortinet has so you know like we can have some basic topologies like a single um a single 40 gate managing a single 40 switch unit kind of like we have right now or maybe we can get into some more complex in environments where you know and this also depends on switch model as well as you can have some more complex topologies um you know in this case maybe let's pick one of these options here which could be so yeah aj mode 40 gate okay so we can see that this topology looks kind of more complex but if i take just a subset of this topology then maybe i'll just say okay we have the the fortigate already we have say that that for example that that switch that we've been using up until now could be that distribution switch but then maybe i just want to you know hang another switch off of that distribution switch to pretty much to use this topology but then you know make it more applicable to the environment with the gear that i've got available right so you know let's let's try something like that let's just hang a you know a smaller switch off of that distribution switch so back to the fortigate i've got port 23 and port 24 already allocated we can just go to our 40 switch ports section here we've got lots available so i don't know maybe we'll just use port 22. so i'm going to take an 8 port switch it's a it's called a 108 d 40 switch let's take an 8 port switch and i'm just going to connect it up to port 22 now all right so once it is showing up here we follow the same procedure as we did with the initial 24 port switch we'll just right click it click authorize and then we'll wait a few minutes for it to go online all right now we can see that the switch is online we can change to the topology view here and and just like that you know the the new topology has kind of automatically built itself right um and yeah we can see that you know some of this stuff might still take some time here but you know overall it looks pretty good we can see that that connection is up and running so when we go to 40 switch ports now we're going to see an additional switch in the in the view right so if we kind of collapse everything here's the switch we were looking at initially here is the new switch right and then you know there's an automatic trunk that gets created between for example this is port 10 on the 108 d the eight port smaller switch is connected up to port 22 on the larger switch and and pretty much you know all all vlans that we configure on the you know any type of native vlan configuration that we do on this switch it's going to just be trunked up to the upstream switch which is the 224e and then trunked again up to the fortigate all right so let's end off with just a few troubleshooting tips and tools here right so um you know to start if we just want to see you know basic status of of the you know 40 switches that are connected execute switch controller get connection status right so we can you know get an idea as to serial number version you know whether they're authorized and up their ip address when they joined um you know if there's any type of configuration sync errors or for example right then you'll you'd see one of these flags showing up here um you know what's another command execute switch controller um get sync status all you know just some information about configuration sync status or some more some more diagnostics you could go diagnose or diag or diagnose switch controller switch info i'm just going to put in a question mark here and you know there's just a lot of options that you can use um to really get a lot of information from the switch via you know the fortigate in this case right the fortigate is the one that's you know managing these switches so you know you can get a lot of information just from the the firewall so if we go you know for example let's get an idea on some of the port stats okay so we can see you know every switch port and then you know its individual interface configuration you know i suppose you can probably dive deeper into that command and go to a specific port for example there we go um you know going back to that switch info command and i just i just select up to you know to go to a previous command i've already entered and then if i go mac table you know we can see you know get an idea as to the mac address table another command that we could do is if we want to have maybe a cli sort of a cli version of the configuration we could type in um you know something like what i have above there so execute switch controller and then you know get physical get physical connection or get physical con and then we could have different formations of how the topology looks right so this is kind of showing us a cli representation of the topology um you know the first one was dot the second one can be standard to just give me a different a different um overview of the how the configuration is from pretty much switch port to switch port we can also run some debugs too so if we type in you know diagnose debug application 40 link d minus one you know we can have some troubleshooting information maybe about you know connect connectivity between the 40 gate and the 40 switch if there's any type of issues being seen there um i'm going to type in debug disable here to stop that output debug reset to reset the filter another one we could try is diag debug application flcfgd minus one um this one's kind of interesting okay so let's start that let's enable it okay so you know there's really nothing that's running right now it's saying no job to schedule you know but if i went to the 40 switch now and i made a configuration change let's say i configure you know i just configure a port for a different vlan and then i'll quickly go back to that debug there we go right so we could you know we could have that information we can actually see what specifically is going on we can help tack or you know whatever it might be right it can give us an idea as to what's happening with the configuration uh you know on the back end there another item to be aware of is that the 40 switches really rely on ntp like they do need to have the correct time stamp so you know make sure that you have an ntp server that has you know the same time as as the fortigates right it makes just check those times right so you can use the 40 gate as an ntp server for devices connected on the 40 link which is going to be the 40 switches now let's consider a scenario too where we would want to maybe do some troubleshooting and and running a sniffer on specific traffic that's coming from a switch port on the 40 switch well to start with that i think we need to step back a little bit and just understand the topology a little bit um you know so that we know which interface that we need to be actually looking for traffic on so using this machine that we have on the right hand here right 192.168.111.8 let's just think about the topology um you know the topology before traffic actually hits the firewall so it's just a really rough topology i have here on the left side we can think about it this way traffic originating from 192 168 192.168.111.8 since that's connected to the 40 switch that 40 switch its interface is vlan 100 right so if we go to that wi-fi and switch controller 40 switch ports that device is connected to port 6 in my case which is the production vlan vlan 100 right so in that traffic as expected it's going to be you know it's going to be sent over a trunk interface up to the fortigate 61e which we see right here that's the next step okay well the traffic is going to be received on either the internal 6 or the internal 7 interface based on this current configuration right and that's because if we look at the managed 40 switch here we have you know port 23 on the switch is connected to internal seven and internal six on the fortigate so those that the physical interfaces will receive a tagged packet sorry a tagged frame now let's follow that internal six and internal 7 interface so if we go to network interfaces we just confirm here that yes the member of 40 link is internal 7 and internal 6. right so we can see here is when the tagged frame for vlan 100 hits internal 7 or internal 6 on the physical port that's automatically going to be directed to the 40 link interface so now the 40 link interface has that traffic so let's take a stop here and let's actually relate that to a sniffer let's do a sniffer on the 40 link interface for a second so let's type in the following command and and for more information about sniffer i've um i've i have a suggested link here with more details about the specific commands but um let's type in diag sniffer packet and then the interface that we are filtering on is going to be 40 link we'll have an empty filter so we're not looking for a specific host or anything like that um and then additionally let's type in 4 0 l as in lima okay there we go so you know as you can see right now we're sniffing for traffic here right so you know each packet per line on this sniffer is is showing me what k what type of traffic is hitting that 40 link interface directly so we can see a lot of traffic show a lot of traffic showing 802.1 q vlan 100 and that's because you know the 40 link interface isn't going to see the actual specific traffic um because it's you know it's going to be tagged so all it's showing us is okay you know this interface is receiving a tagged packet on vlan 100 right so everything that's pretty much this is a small environment so everything that's happening on this machine that's really what we're seeing every single package shows this but if we want the actual details of say you know someone's doing an actual ping something like that if we want to see that detail on the fortigate sniffer we have to take the next step and we actually have to not focus on just this 40 link interface here not just this 40 link interface but the interface below it right the interface below it is this production interface right right so now if i change the filter on the sniffer to be specific to production then now the traffic that receives you know that the 48 receives that's tagged with vlan id 100 now that's actually going to show up in the sniffer right so i'll type in production and then now let's you know now let's actually put in our our filter for example all right now we'll go back here let's do our ping back to the 48 there we go now the sniffer actually picks it up right so hopefully that helps you kind of get a better idea as to how to how to troubleshoot but then also it can kind of give you the you know the approach to um you know as to how you need to be you know thinking about the topology because there are a lot of components but at the end of the day it does it does get simpler once we kind of lay things out this way to to really understand okay how is the traffic flowing from um from a device connected to the 40 switch um through that 40 link trunk to the fortigate and then and then to actually hit the the individual sub interface or you know or vlan interface on the fortigate which in this case was named production on on vlan 100. all right thanks everyone for for joining in here and we'll see you in the next video
Info
Channel: ToThePoint Fortinet
Views: 18,325
Rating: undefined out of 5
Keywords: FortiGate, FortiGate how to, Fortinet how to, FortiGate tutorial, Fortinet tutorial, Security, fortiswitch, fortilink, managed switch, fortiswitch standalone, fortiswitch topology, FortiLANCloud, switchport, native vlan, access vlan, layer 2 switch
Id: t_UpngTK5pM
Channel Id: undefined
Length: 24min 46sec (1486 seconds)
Published: Sat Sep 10 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.