Manuals+
FortiGate, FortiSwitch, and FortiAP LAN Edge Deployment Guide

Fortinet

LAN Edge Deployment Guide

FortiGate, FortiSwitch, and FortiAP

FORTINET DOCUMENT LIBRARY

https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG

https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE

https://training.fortinet.com

FORTIGUARD CENTER

https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: techdoc@fortinet.com

April 13, 2023

Introduction

Executive summary

The Fortinet LAN Edge Solution offers tight integration through FortiLink, treating FortiSwitch and FortiAP units as extensions of the FortiGate device. This unified approach enables consistent security across the entire network, embodying Security-Driven Networking. By leveraging Security-Driven Networking, the LAN edge extends the Fortinet Security Fabric, converging security and network access into a single platform. This convergence enhances security, reduces complexity, lowers costs, and improves performance at the LAN edge. While this integrated approach simplifies the network, the sheer power and integration can make it challenging to know where to start. Security designs are typically specific to the deployment and can evolve over time. This guide focuses on establishing the network skeleton and default firewall policies to get the baseline network operational quickly.

Intended audience

This guide is intended for individuals interested in deploying Fortinet's secure LAN Edge Solution in a new environment or upgrading an existing one. Readers should possess a solid understanding of networking, wireless, and security concepts. This includes:

  • Network, wireless, and security architects
  • Network, wireless, and security engineers

About this guide

This deployment guide walks readers through the design and deployment steps for a specific architecture. It is recommended that readers first assess their environment to determine suitability. Consulting the Reference Architecture Guide(s) is advisable for those still selecting an architecture. This guide presents one method of deployment and may omit specific steps requiring reader decisions for further configuration. Supplementary materials such as admin guides, example guides, cookbooks, and release notes are also recommended.

Design overview

Use case and topology

The following topology illustrates the setup:

Diagram Description: The diagram shows an ISP CPE router connecting to a FortiGate device. The FortiGate is connected to a FortiSwitch via a FortiLink connection. The FortiSwitch then connects to a FortiAP and a NAC-connected device. The FortiGate also has a WAN connection labeled 'wan1'.

  • The primary focus is on establishing basic network connectivity and outbound access.
  • The ISP access router/modem is assumed to be deployed and providing DHCP for the FortiGate's WAN link via an Ethernet connection.
  • The deployment includes:
    • One FortiGate device
    • One FortiSwitch unit
    • One or more FortiAP units
  • All necessary Ethernet cabling is assumed to be available or already installed.
  • A management station with an Ethernet port is required.

Design concept and considerations

This guide outlines a baseline network for deploying a secure LAN edge efficiently. The solution is scalable; additional FortiSwitch units, FortiAP units, and higher-end FortiGate devices can be added to accommodate more users. Redundancy can be enhanced by implementing an HA cluster for FortiGate devices, a full-mesh switch network, and aggregate links. SD-WAN can be configured for redundancy and intelligent traffic steering. For multi-site deployments, standardization into SD-branches and provisioning via FortiManager are also supported.

Deployment overview

Deployment plan

This deployment configures a FortiGate device, a FortiSwitch unit, and a FortiAP unit from factory default settings to provide wired and wireless outbound access for internal users. Most configuration steps are performed on the FortiGate device, with the exception of physical connections.

The general deployment steps are:

  1. Bring up a FortiGate device and connect to an ISP.
  2. Configure FortiLink and authorize a FortiSwitch unit.
  3. Create and assign VLANs in the switch controller.
  4. Set up NAC and create NAC policies.
  5. Add one or more FortiAP units.

Deployment procedures

Step 1: Bring up the FortiGate device

The following figures show the faceplate and back of the FortiGate 60F, which are similar to the FortiGate 61F.

Diagram Description: Images show the front and back panels of a FortiGate 60F device, detailing ports like DC+12V, USB, CONSOLE, WAN2, WAN1, DMZ, ports 5, 4, 3, 2, 1, and A, B. It notes that DMZ, HA, and MGMT ports may be available on larger models.

FortiGate devices, when new, have physical ports preconfigured according to their model. These ports can be reconfigured, with some exceptions. Ports labeled 'A' and 'B' are typically preconfigured for FortiLink and connect to the FortiSwitch unit.

Default settings for an out-of-the-box FortiGate device:

Setting Value
Management IP address and login credentials
Management IP 192.168.1.99/24
User name admin
Password <blank> (prompts for new password on first login)
Ports and interfaces
MGMT port address range (if it exists) 192.168.1.0/24, with the FortiGate device as the default gateway
LAN port only If there is no MGMT port, the LAN port address range is 192.168.1.0/24.
MGMT and LAN port If there is an MGMT port, the LAN ports default to a different subnet.
WAN1 DHCP client (requests IP from ISP)
LAN ports labeled 'A' and 'B' Preconfigured for FortiLink
Firewall policies
LAN → WAN Allows outgoing traffic from LAN ports; does not allow incoming traffic from the Internet/uplink (WAN1). MGMT ports do not have default Internet access.

Power on the FortiGate device and log in

  1. Plug in and power on the FortiGate device.
  2. Connect the ISP uplink to the FortiGate WAN1 port.
  3. Connect a management station to the MGMT (or LAN port 1) using an Ethernet cable. The station should receive an IP address from the FortiGate. If not, configure it to 192.168.1.110/255.255.255.0 with a gateway of 192.168.1.99.
  4. Open a web browser and navigate to 192.168.1.99.
  5. Log in using the username 'admin' and a blank password, then press Enter.
  6. You will be prompted to set a new password.
  7. The FortiGate setup screen appears next; this guide skips those details. A connected station can now access the Internet via the FortiGate firewall.

Step 2: Configure FortiLink and authorize the FortiSwitch unit

FortiLink enables full management of a FortiSwitch unit from the FortiGate device, treating them as a unified entity. VLAN tags are automatically provisioned.

Remove the ports in the LAN hardware switch interface

For FortiGate models without dedicated FortiLink ports (like A and B), two LAN ports must be removed from the LAN interface to be used for FortiLink. By default, LAN ports are grouped into the LAN hardware switch interface.

Steps for FortiGate 61F:

  1. Navigate to Network > Interfaces and double-click on LAN.
  2. In the Interface Members field, remove two physical ports by clicking the 'X' icons. The highest-numbered ports are commonly used, but any two can be removed.
  3. Click OK.
  4. The removed ports will no longer be part of the LAN interface and will appear under the Physical Interface grouping.

Configure the FortiLink interface

FortiLink connects switches and access points directly to the FortiGate, making the network function as a single device.

  1. Go to Network > Interfaces.
  2. Double-click on FortiLink.
  3. Verify interface members:
    • If two members are listed (likely ports 'A' and 'B'), FortiLink is ready.
    • If no members are listed, select the two LAN ports removed earlier.
  4. Check FortiLink settings:
    • Address section: Use the default 'Dedicated to FortiSwitch' addressing mode.
    • Address section: Ensure 'Automatically authorize devices' is enabled.
    • Address section: Disable 'FortiLink split interface' (used for multiple switches).
    • Ensure the DHCP server is enabled for connected FortiSwitch units.

Diagram Description: A screenshot shows the FortiGate interface configuration screen, highlighting the FortiLink settings with options for addressing mode, automatic authorization, split interface, and DHCP server status.

Click OK.

Make the switch controller and WiFi controller visible in the GUI

To make the switch and WiFi controllers visible:

  1. Go to System > Feature Visibility.
  2. Under Core Features, enable 'Switch Controller'.
  3. Under Core Features, enable 'WiFi Controller'.

Connect the FortiLink ports to the switch ports

  1. Unpack and deploy the FortiSwitch unit.
  2. Turn on the FortiSwitch unit.
  3. Connect the FortiSwitch to the FortiGate using two Ethernet cables, linking the designated FortiLink ports on the FortiGate to the last two ports on the FortiSwitch. Allow a few minutes for the switch to become visible and configurable on the FortiGate.

Explore the switch controller

Navigate to WiFi & Switch Controller > FortiLink Interface. This section provides access to additional options, including FortiOS Network Address Control (NAC).

Check the switch authorization and topology

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Verify that the FortiSwitch unit is visible, connected, and authorized. If not automatically authorized, click the icon to authorize it.
  3. To view the topology, change the dropdown menu in the upper right corner from 'List' to 'Topology'. This view shows the logical connection between the FortiGate and the FortiSwitch.
  4. Hover over the switch icon to access context menus.
  5. The figure shows the FortiSwitch unit is connected, authorized, and ready.

Diagram Description: A screenshot displays the Managed FortiSwitch interface, showing a list of connected switches with their status, model, and connection details. Another screenshot shows the topology view.

Step 3: Create and assign VLANs in the switch controller

Create FortiSwitch VLANs

Predefined VLANs exist for NAC purposes, allowing automatic assignment of devices to a default VLAN. This guide demonstrates creating two example VLANs for internal use, enabling Internet access and inter-VLAN routing.

Steps:

  1. Go to WiFi & Switch Controller > FortiSwitch VLANs.
  2. Click 'Create New'.
  3. Assign a VLAN name (e.g., VLAN100).
  4. Ensure 'Type' is 'VLAN' and 'Interface' is 'fortilink'.
  5. Assign a unique VLAN ID (e.g., 100). Predefined VLANs use IDs 4089-4093.
  6. Optionally, select a color.
  7. Set the 'Role' to 'LAN'.
  8. Set 'Addressing mode' to 'Manual'.
  9. Enter an IP/Netmask (e.g., 10.10.100.1/255.255.255.0).
  10. Enable 'Create address object matching subnet'.

Diagram Description: A screenshot shows the FortiGate interface for creating a new VLAN, with fields for Name, Type, Interface, VLAN ID, Role, Addressing Mode, and IP/Netmask.

This setting will be useful in policies later.

  1. Enable DHCP Server.
  2. Accept or adjust the default address range.
  3. Ensure 'Same as Interface IP' and 'Same as System DNS' are enabled.

Diagram Description: A screenshot shows the DHCP Server configuration for the VLAN, including DHCP status, address range, netmask, default gateway, and DNS server settings.

Click OK.

For the second VLAN (e.g., VLAN200):

  • Repeat the procedure, using VLAN200 for the name and ID.
  • Set the IP/Netmask to 10.10.200.1/255.255.255.0.
  • Configure other settings as needed.

Click OK.

Create firewall policies for Internet access

Internet access policies are similar to the LAN internet policy. These policies allow traffic from the new VLANs to the internet.

Steps:

  1. Go to Policy & Objects > Firewall Policy.
  2. Click 'Create New'.
  3. Configure the policy for the first VLAN (e.g., VLAN100-Internet):
    • Incoming Interface: VLAN100
    • Outgoing Interface: WAN1
    • Source: all
    • Destination: all
    • Schedule: always
    • Service: ALL
    • Action: ACCEPT
  4. Under Firewall/Network Options, ensure NAT is enabled and 'Use Outgoing Interface Address' is selected.

Diagram Description: A screenshot shows the FortiGate firewall policy creation screen, detailing fields for Name, Incoming/Outgoing Interfaces, Source, Destination, Schedule, Service, Action, and Firewall/Network Options like NAT.

Accept default settings and click OK.

Repeat steps 1-5 for the second VLAN.

Enable inter-VLAN routing (if needed)

To allow communication between VLANs, configure two additional policies. For example:

  • Policy 1: Incoming VLAN100, Outgoing VLAN200.
  • Policy 2: Incoming VLAN200, Outgoing VLAN100.

Diagram Description: A screenshot shows a list of configured firewall policies, including inter-VLAN routing policies.

Assign VLANs to switch ports

Assign VLANs statically to switch ports. NAC policies can be used for dynamic assignment later.

  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Note that FortiLink ports show the FortiGate device in the native VLAN column; no trunk port configuration is needed.
  3. To change a port's VLAN, hover over the current native VLAN and click the pencil icon.

Diagram Description: A screenshot shows the FortiSwitch Ports configuration screen, listing ports with their Native VLAN, Allowed VLANs, and other settings. It highlights the pencil icon for editing.

In the 'Select Entries' pane, choose the VLAN to assign. If the VLAN is not defined, click 'Create'. Click 'Apply' to save.

Assign other ports to static VLANs as needed.

Diagram Description: A screenshot shows the process of selecting a VLAN for a specific port in the FortiSwitch Ports configuration.

Step 4: Set up NAC and create NAC policies

NAC identifies devices based on criteria like OS and hardware vendor, then assigns them to a policy-defined VLAN.

When a device connects to a switch port in NAC mode, it undergoes these steps:

  1. Receives a DHCP address on the onboarding VLAN.
  2. Is categorized by a NAC policy.
  3. Receives a new DHCP address on the assigned VLAN.

If a device doesn't match any category, it remains on the onboarding VLAN. Stricter restrictions on the onboarding VLAN policy are recommended.

Change the onboarding VLAN

By default, FortiGate NAC policies place onboarding devices into the onboarding VLAN. This can be changed by editing the VLAN within NAC Policies > FortiSwitch VLANs and modifying the FortiLink interface.

Diagram Description: A screenshot shows the FortiGate NAC Policies screen, listing onboarding VLANs and their assignments.

Set up NAC policies on the FortiSwitch unit

Define rules to assign devices to VLANs based on patterns, user information, or EMS tags.

Steps:

  1. Go to WiFi & Switch Controller > NAC Policies.
  2. Click 'Create New' to create a NAC policy (e.g., 'dev-NAC').
  3. Set 'Status' to 'Enabled'.
  4. Set 'Category' to 'Device'.
  5. Enable 'MAC address' and enter a device MAC address (e.g., 00:00:00:00:00:00). Multiple criteria can be enabled.
  6. Under 'Switch Controller Action', enable 'Assign VLAN' and select a previously configured VLAN.

Diagram Description: A screenshot shows the FortiGate interface for creating a new NAC policy, with fields for Name, Status, Category (Device, MAC address, Hardware vendor, etc.), and Switch Controller Action (Assign VLAN).

Click OK to save the NAC policy.

Create other NAC policies as needed.

Assign ports to use a NAC policy

Ports can be configured to use NAC policies for dynamic access and security levels based on the connected device.

  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Select the ports to be changed to NAC mode.
  3. Right-click and select 'Mode' > 'NAC'.

Diagram Description: A screenshot shows the FortiSwitch Ports configuration screen, where ports can be selected and their mode changed to NAC.

After applying NAC mode, refresh the page; the Native VLAN value will update.

Diagram Description: A screenshot shows the FortiSwitch Ports configuration after applying NAC mode, indicating updated Native VLAN values.

FortiSwitch configuration complete

The FortiSwitch configuration is complete. Devices connected to ports in static mode will follow assigned firewall policies. Devices on NAC-mode ports will be placed in VLANs based on matching NAC policies.

Step 5: Deploy WiFi

This guide focuses on network configuration, not physical AP installation. Refer to FortiAP Quick Start Guides for installation details. Best practices include:

  • Integrated/internal antennas are for ceiling mounts. For wall mounting, use external antennas.
  • Antenna patterns (omnidirectional, directional) affect signal coverage. Omnidirectional antennas create a donut pattern, suitable for 10-20 foot ceilings. Down-pointed directional antennas are better for higher ceilings. High-gain omnidirectional antennas can flatten the pattern, reducing ceiling coverage.
  • Wall-mounted APs require external antennas, ideally vertically aligned omnidirectional ones.
  • Ensure sufficient Power over Ethernet (PoE) from the switch and that the total PoE budget meets the needs of all access points.
  • Record AP MAC addresses/serial numbers and locations for documentation.
  • Leave extra cable slack at AP ends for easier coverage adjustment.

Add an AP VLAN

Create an AP VLAN for AP management (control plane) to isolate it from user traffic. This is done via WiFi & Switch Controller > FortiSwitch VLANs (refer to 'Create FortiSwitch VLANs' on page 15).

Steps:

  1. Enter a VLAN name.
  2. Assign a VLAN ID.
  3. Set 'Addressing mode' to 'Manual' and assign a VLAN/gateway IP address.
  4. Under 'Administrative Access', click 'Security Fabric Connection' and add other access types as needed.

Diagram Description: A screenshot shows the FortiGate interface for creating a new VLAN, similar to the previous VLAN creation steps, but for the AP VLAN.

  1. Enable DHCP server and specify the IP address range.
  2. Under 'Network', enable 'Device detection'.
  3. Enable 'Automatically authorize devices'. This is recommended during initial deployment and can be disabled later for enhanced security.

Diagram Description: A screenshot shows the DHCP Server configuration for the AP VLAN, including IP address range and device detection settings.

Click OK.

Assign the AP VLAN to AP ports on the FortiSwitch unit

FortiAPs connected to ports assigned the AP VLAN will automatically connect, get an IP, and be authorized. A FortiSwitch PoE port can power the AP.

  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Select a PoE-capable port and change its native VLAN to the AP VLAN.

Diagram Description: A screenshot shows the FortiSwitch Ports configuration, highlighting the selection of a port and changing its Native VLAN to the AP VLAN.

Connect APs via Ethernet cables to the appropriate PoE-capable FortiSwitch ports. Allow a few minutes for them to start and authorize. Check progress via Security Fabric > Physical Topology or WiFi & Switch Controller > Managed FortiAPs.

  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. If needed, change the view from 'Group' to 'AP'.

Diagram Description: A screenshot shows the Managed FortiAPs interface, listing connected access points and their status.

If APs are not automatically authorized, use the right-click menu or the 'Edit' button. Renaming APs (e.g., "Main-Lobby") is recommended for easier identification.

Create SSIDs

Steps:

  1. Go to WiFi & Switch Controller > SSIDs.
  2. Click 'Create New' > 'SSID'.
  3. Enter an internal name for the SSID.
  4. Set the 'Traffic mode' to 'Tunnel'. In tunnel mode, WLANs function as interfaces in the FortiGate.
  5. Assign an IP address (VLAN gateway) and set up the DHCP server.

Diagram Description: A screenshot shows the FortiGate interface for creating a new SSID, with fields for Name, Alias, Type, Traffic Mode, and IP/Netmask.

Under WiFi Settings:

  • Enter the over-the-air SSID name.
  • Select a security mode (e.g., WPA3 SAE or WPA2 Personal). Enterprise modes are recommended for refined security policies.
  • Enter a pre-shared key.

Diagram Description: A screenshot shows the WiFi Settings for SSID configuration, including SSID name, security mode (WPA2 Personal), pre-shared key, client limit, and broadcast options.

Click OK.

SSIDs are deployed to the APs. More complex deployments can be configured using groups of APs and different WLANs.

Configure the firewall policies

Firewall policies must be configured to allow wireless access from the SSID. Refer to 'Create firewall policies for Internet access' on page 17. Profiles for traffic scanning can also be defined here.

Diagram Description: A screenshot shows the FortiGate firewall policy configuration screen, demonstrating a policy for an SSID allowing internet access.

Deployment complete

The basic LAN edge network design is now configured. The FortiGate serves as the internet gateway, the FortiSwitch is connected and communicating via FortiLink, Wi-Fi is operational, and an example NAC policy is in place. For further security, refinement, optimization, and scaling, refer to additional Fortinet documentation.

Appendix A: Products used in this guide

The following product models and firmware were used in this guide. FortiSwitch 7.0 and FortiAP 7.0 can also be used for this deployment.

Product Model Firmware
FortiGate FortiGate 61F 7.0.3
FortiSwitch FortiSwitch 108E-POE 6.4.4
FortiAP FortiAP 221E 6.4.4

Appendix B: Documentation references

For more information, use the following resources:

  • Product administration guides:
    • FortiGate Administration Guide
    • Managed FortiSwitch Administration Guide
    • FortiWiFi and FortiAP Configuration Guide
  • Solution hub:
    • Secure Access

PDF preview unavailable. Download the PDF instead.

FortiGate, FortiSwitch, and FortiAP--LAN Edge Deployment Guide madbuild

Related Documents

Preview Creating a Secure Network with IoT | Fortinet
Learn how to create a secure network with IoT devices, addressing challenges like digital acceleration, network complexity, and the need for converged security and networking solutions from Fortinet.
Preview FortiWiFi and FortiAP 7.4.1 Configuration Guide
This guide provides comprehensive instructions for configuring Fortinet's FortiWiFi and FortiAP devices, covering wireless network setup, management, security, and advanced features for enterprise environments.
Preview Fortinet FortiGate Secure LAN Edge Controller Ordering Guide
Comprehensive ordering guide for Fortinet's FortiGate Secure LAN Edge Controller, detailing FortiAP and FortiSwitch product offerings, design considerations, and specifications for various deployment scenarios.
Preview Fortinet and Auvik Network Monitoring and Management Solution
A comprehensive threat protection solution with deep network visibility and troubleshooting for network professionals, integrating Fortinet's FortiGate, FortiSwitch, and FortiAP with Auvik's automated network monitoring and management software.
Preview FortiLink Guide for FortiSwitch Devices Managed by FortiOS 7.2
This guide details the configuration and management of FortiSwitch devices using FortiOS 7.2 via FortiLink, covering network topologies, MCLAG, VLANs, STP, PoE, and security features for robust network infrastructure.
Preview FortiSwitch Data Center Series Datasheet: High-Performance Ethernet Switches
Datasheet for Fortinet's FortiSwitch Data Center Series, detailing secure, simple, and scalable Ethernet switches with high throughput, resiliency, and advanced features for data center and SD-Branch deployments. Includes specifications for models 1024D, 1048E, 3032D, and 3032E.
Preview Fortinet MSSP Ordering Guide: Product Offerings and Solutions
This guide details Fortinet's comprehensive Managed Security Service Provider (MSSP) solutions, covering product families like FortiGate, FortiManager, FortiAnalyzer, FortiSIEM, FortiSOAR, FortiEDR, FortiClient, FortiAP, FortiSwitch, FortiExtender, FortiWeb, and FortiMail. It provides an overview of features, deployment options, and ordering information for each product, enabling MSSPs to deliver robust cybersecurity services.
Preview Fortinet FortiGate Secure LAN Controller Ordering Guide
A comprehensive guide to Fortinet's Secure LAN Controller solution, detailing the integration of FortiGate devices, FortiAP wireless access points, and FortiSwitch Ethernet switches for unified network management, enhanced security, and simplified operations.