Security Driven Networking

FortiSwitch FortiLink v7.2 Hands-on Lab

FortiSwitch 7.2 | FortiGate 7.2 | FortiAnalyzer 7.2 | FortiManager 7.2

FortiSwitch FortiLink Hands-on Lab: Security Driven Networking

Table of Contents

INTRODUCTION .................................................................................................................................................................. 3
Labs ..................................................................................................................................................................................... 3
Topology .............................................................................................................................................................................. 4
IP-address overview............................................................................................................................................................. 4
PREPARATION TASKS - DO IT BEFORE STARTING THE LABS .................................................................................................. 5
Device Passwords ................................................................................................................................................................ 5
FortiSwitch VM .................................................................................................................................................................... 5
Tips ...................................................................................................................................................................................... 6
LAB 1: PRE-AUTHORIZING FORTISWITCH USING WILDCARD ................................................................................................ 7
Adding pre-authorized FortiSwitch: ..................................................................................................................................... 7
Creating the FortiLink: ....................................................................................................................................................... 10
LAB 2: CREATING MCLAG TOPOLOGY ................................................................................................................................ 14
Configuring the Tier-1 MCLAG pair.................................................................................................................................... 14
Checking MCLAG configuration ......................................................................................................................................... 16
Create FortiSwitch Groups ................................................................................................................................................. 17
LAB 3: FORTISWITCH NAC LAN SEGMENTS ........................................................................................................................ 18
Introduction to NAC LAN Segments ................................................................................................................................... 18
Create a FortiSwitch NAC LAN segment VLANs: ................................................................................................................ 20
Create NAC Policy: ............................................................................................................................................................. 22
Create Firewall Policy to allow Internet access from Ubuntu LAN Segment ..................................................................... 23
Applying the NAC configuration FortiSwitch's physical port ............................................................................................. 23
Testing & Verification ........................................................................................................................................................ 24
LAB 4: MANAGING FORTISWITCHES ON VXLAN INTERFACES ............................................................................................. 29
Configuring L3 Router (fg-remote) .................................................................................................................................... 30
Configuring FortiSwitch (fsw-fol3-1).................................................................................................................................. 31
Configuring FortiGate (FG-HQ) .......................................................................................................................................... 33
Test & Verification ............................................................................................................................................................. 35
LAB 5: SECURITY FABRIC.................................................................................................................................................... 41
Configure the Security Fabric Setup................................................................................................................................... 43
Configure the FortiManager .............................................................................................................................................. 45
Configure the Radius (FortiAuthenticator) ........................................................................................................................ 49
APPENDIX A: HOW TO RUN THE LABS?.............................................................................................................................. 53
FortiSwitch Access: ............................................................................................................................................................ 53
Linux Endpoint Access: ...................................................................................................................................................... 53

2
Introduction
This hands-on activity will provide an opportunity for attendees to experience configuring
control & security features on the FortiSwitch & FortiGate.

Disclaimer: due to the virtual environment, not all FSW features are available. The FSW-
VM is not a product and is not supported. Functionality is limited. Follow the
instructions carefully and don't try things that are not mentioned in the guide, there is no
guarantee that they work, and it might compromise your tests.
FSW-VM cannot be distributed outside Fortinet. It's strictly for internal use.

Labs

The table below shows the tasks you're expected to execute.

Important: Before starting with the tasks, make sure to perform the preparation tasks.

Task Duration(mins)

0 Preparation Tasks 10

1 Pre-authorizing FortiSwitch using wildcard 20

2 Creating MCLAG topology 15

3 FortiSwitch NAC LAN Segments 30

4 Managing FortiSwitches on VXLAN Interfaces 45

5 Security Fabric 30

3
Topology

During the workshop we will use the environment as outlined below. The FGT provides
access to internet via FPoC management port.

IP-address overview

Refer to the table provided by the instructor to identify which FortiPoC instance to access.
See below the IP addresses of the devices deployed on vlan "backend_vms":

Device IP Address Version

FSW 10.255/16 7.2.0

FGT 10.88.0.254 7.2.0

FMG 10.88.0.1 7.2.0

FAZ 10.88.0.2 7.2.0

FAC 10.88.0.3 6.4.3

4
Preparation Tasks - DO IT BEFORE STARTING THE
LABS

Device Passwords

Device User Password

FGT/FAZ/FMG/FAC admin fortinet

FSW admin has no password at first login

FortiSwitch VM

1. Due to the design of FortiSwitch-VM, Port1 MUST be designated as the management

port, thus, it can't be used. Below are the mappings of FortiSwitch-VM's ports:

Actual port (as seen on topology) Mapped port

Port2 Port1

Port3 Port2

Port4 Port3

Port5 Port4

Port6 Port5

Port7 Port6

Port8 Port7

Port9 Port8

2. It may be necessary to reboot FSW-VM to recover from faults. Before taking any action,
check with the instructors. Make sure to do it from the FSW console CLI (do not use fpoc
options "shut down", "reboot" or "reset disk").

# execute reboot

5
Tips

1. Lubuntu client – Use US Keyboard Layout

2. Device Access - Click on Access and select access type (HTTPS for
FGT/FAC/FMG/FAZ). FSW should be managed by FGT, but if necessary, use DISPLAY)

3. Browser - FPoC works better with Chrome. For FAZ, use a separate incognito window -
FMG and FAZ can't be open on the same browser.

6
 Lab 1: Pre-authorizing FortiSwitch using wildcard
There are several enhancements to zero touch provisioning (ZTP) on FortiSwitch. Enhancements
such as port default behaviors, automated FortiLink over layer 3, changing FortiLink mode
without reboot, and pre-authorizing FortiSwitch using wildcard characters is part of version 7.2
enhancements.

For this workshop, only pre-authorizing FortiSwitch using wildcard characters will be shown.

Adding pre-authorized FortiSwitch:

To configure automatic provisioning and upgrade the FortiSwitch firmware after

authorization:

1. Login to FG-HQ1, go to WiFi & Switch Controller > Managed FortiSwitches.

2. Click on Create New > FortiSwitch

7
3. Add the serial S108DV********01. Enable the “Authorized” checkbox.

All switch serial has 16 characters. After switch model

and switch number is determined, the rest of the
characters should be filled with “*”

S108DV********0
1 This represents first switch. If there are 4
Switch model, it can
be S424E, S108E, switches, then add the subsequent FSW
etc… as 02, 03, and 04. This can also be
expanded to 001, 002, 003, and 004
instead – depending on how many FSWs
customer has

8
1. Add all 3 FSWs into GUI. It should look like the following:

9
 Creating the FortiLink:

This section illustrates the GUI method to bring up FortiLink management for the switches
attached via FortiGate ports (port2 and port3).

1. Navigate to WiFi & Switch Controller > FortiLink Interface, edit the predefined FortiLink
interface.

10
2. Assign port2 and port3 as Interface members for FortiLink and Apply.

11
3. Discovered FSW will be automatically authorized, added, and the serial number
automatically populated.

4. Discovered FSW can then be named as follows:.

Serial Number Name

S108DV92DPE4H946 FSW-HQ-1

S108DVDYVPE4H946 FSW-HQ-2

S108DVOJL3EKH946 FSW-HQ-3

12
 Checking FortiLink status and configuration:
Some useful commands to check the FortiLink configuration and status from FortiGate:
• execute switch-controller diagnose-connection <FSW_SERIAL_NUMBER>
• execute switch-controller get-conn-status
• execute switch-controller get-physical-conn [ standard | dot ] <FORTILINK_NAME>
• execute switch-controller get-sync-status all

See Appendix A for Customized FortiSwitch Default VLAN Configuration.

13
Lab 2: Creating MCLAG topology

MCLAG can be created from Security Ratings (refer to v7.0 hands-on lab workshop). For this
workshop, we will create MCLAG manually to complete our topology. Creating MCLAG
from Security Ratings will be further enhanced in v7.2.x release, where MCLAG can be
created directly from FortiSwitch topology view in GUI.

This workshop also focuses more on v7.2 features, for 2-tier MCLAG hands-on lab, please
refer to v7.0 hands-on lab workshop.

Configuring the Tier-1 MCLAG pair

1. Using the FortiGate CLI, assign the LLDP profile “default-auto-mclag-icl” to the ports that
should form the MC-LAG ICL in FortiSwitch unit 1. In our case this is: S108DV92DPE4H946
(and the MC-LAG ICL port, port3).
FGVM04TM20003085 # config switch-controller managed-switch
FGVM04TM20003085 (managed-switch) # edit S108DV92DPE4H946
FGVM04TM20003085 (S108DV92DPEFGG54) # config ports
FGVM04TM20003085 (S108DV92DPEFGG54) # edit port3
FGVM04TM20003085 (port3) # set lldp-profile default-auto-mclag-icl
FGVM04TM20003085 (port3) # end
FGVM04TM20003085 (S108DV92DPEFGG54) # end

or if you were to do a CLI copy-paste, the same commands:

config switch-controller managed-switch
edit S108DV92DPE4H946
config ports
edit port3
set lldp-profile default-auto-mclag-icl
end
end

2. Repeat step 1 for FortiSwitch unit 2. The difference is the switch name:
config switch-controller managed-switch
edit S108DVDYVPE4H946
config ports
edit port3
set lldp-profile default-auto-mclag-icl
end
end

14
3. Disable the split interface in the FortiLink interface

4. From the FortiGate unit, enable the LACP active mode if not already set. In this lab we use a link-
aggregate of two ports for FortiLink, so it is already set.

5. Check that the LAG is working correctly. Run “diagnose netlink aggregate name fortilink”, that
should show both aggregate ports are up. You could also run commands like, “diagnose switch-
controller switch-info mclag icl” to verify the ICL link is working.

Now the first MCLAG pair should be enabled. Go to WiFi & Switch Controller >
Managed FortiSwitch and check the topology changed, and the first Tier-1 is now
highlighted as MC- LAG Peers.

Allow a few minutes to let it converge on the GUI. Use "diagnose switch-controller
switch-info mclag icl" command to check that the peers are communicating.

15
 After MCLAG is completely formed, your topology should look as the following:

Checking MCLAG configuration

Some useful commands to check the MCLAG configuration and status from FortiGate:

diagnose switch-controller switch-info trunk config

diagnose switch-controller switch-info trunk status
diagnose switch-controller switch-info mclag icl
diagnose switch-controller switch-info mclag list
diagnose switch-controller switch-info mclag peer-consistency-check

16
Create FortiSwitch Groups

From the Managed FortiSwitch menu, navigate to the Group view, using the drop-down
menu from the right hand side. Create two groups, “Tier-1” and “Dual-Homed”:

This helps to better manage the FortiSwitches and enables some common actions to be
applied at group level.

17
Lab 3: FortiSwitch NAC LAN Segments

Assuming FortiLink has been fully configured & all FortiSwitches has been managed
successfully by the FortiGate, we will enable NAC configurations on the FortiGate & test
to make sure the hosts are filtered accordingly and assigned a LAN segment accordingly.

Introduction to NAC LAN Segments

You can configure a FortiSwitch network access control (NAC) policy within FortiOS that
matches devices with the specified criteria, devices belonging to a specified user group, or
devices with a specified FortiClient EMS tag. Devices that match are assigned to a specific
VLAN.

One of the main problems when applying automatic network access processes on devices is
the need of moving them from the onboarding network to the final network where they
belong, according to the characteristics of the device. Basically, the issue appears when the
devices need to change/re-new the IP address.

In that regards, FortiLink added the capability to bounce the port physically automatically,
but this solution does not accommodate all the use cases (i.e. if the devices are connected
through another device, like an IP phone).

Therefore, to try to address this scenario from a different angle, FortiSwitch introduced the
NAC LAN Segments feature since 7.0.1 (FOS and FSWOS).
The concept behind this feature is that the connecting devices get an IP from a specific
VLAN (typically nac_segment) and they don't need to change it. They will be placed into
the corresponding network segment/VLAN leveraging FortiSwitch mechanisms.

18
 LAN segments prevent the IP addresses of hosts from changing but still provide physical
isolation. For example, the following figure shows how four LAN segments have been
assigned to four separate VLANs:

To use LAN segments:

I. Configure FortiSwitch VLANs without layer-3 properties (unset the IP address, set
the access mode to static, unset allowaccess, and disable the DHCP server).

II. Optionally, enable Block Intra-VLAN Traffic to prevent traffic between hosts in a
LAN segment.

III. Enable LAN segments (Enabled by default in FOS 7.2)

IV. Specify the NAC LAN interface.

V. Specify which VLANs belong to that LAN segment.

VI. Create NAC Policy & enable Assign device to dynamic address.

VII. Create a Firewall Policy with a dynamic address to allow the access for the LAN
Segment.

The goal of this lab is to assign a LAN segment VLAN-4000 via NAC Policy to Ubuntu
device based on device category, Vendor OUI (Mac address wild card) and OS. Then
create a firewall ipv4 policy to allow the LAN segment dynamic address to internet.
19
Create a FortiSwitch NAC LAN segment VLANs:

§ We will use the default onboarding VLAN for this exercise.

§ Define VLAN-4000 to be assigned to the matched devices
§ Please ensure that NO DHCP-Snooping is enabled on any of the VLANs that
you've created.

1. Login to FGT-HQ via HTTPS and navigate to WiFi & Switch Controller >
FortiSwitch VLANs. edit nac_segment.fortilink interface & enable PING &
Security Fabric Connections, make sure the DHCP Server is enabled.

2. Create a new VLAN as follow:

- Name: Ubuntu_Segment
- VLAN ID: 4000
- Access mode to static, No IP address, unset allowaccess, and the DHCP server disabled).

20
3. Navigate to WiFi & Switch Controller > NAC Policies. Edit FortiLink NAC Settings under
FortiSwitch Onboarding VLAN:

- Make sure that the NAC VLAN segmentation is Enabled.

- Primary Interface: select nac_segment.fortilink.
- Onboarding VLAN: select onboarding.fortilink.
- Segment VLANs: select Ubuntu_Segment.

21
Create NAC Policy:

For this workshop, we will configure a Device Pattern based on Device category. You also have
the option to configure based on User & EMS Tag.

1. Navigate to WiFi & Switch Controller > NAC Policies. Create New NAC Policy as follow:

- Name: Ubuntu NAC Segment Policy

- Status: Disabled (for now, will enable it later during the test)
- FortiSwitches: All
- Category: Device
- MAC address: 02:09:0F:**:**:**
- Operating system: Ubuntu
- Assign VLAN: Ubuntu_Segment
- Bounce port: Disabled.
- Enable Assign device to dynamic address option & create new Dynamic Address and give it
a name: Ubuntu Clients.

- Select Ubuntu Clients dynamic address in order to dynamically map the matched device’s
MAC address to the dynamic address group. This dynamic address group will be used later in
the FW policy to define your access.

- Click OK to save the NAC Policy

22
Create Firewall Policy to allow Internet access from Ubuntu LAN Segment

Create a firewall policy to allow traffic from the matched Ubuntu client(s) host(s) to the Internet. As
explained before, all devices belong to the main L3 nac_segment VLAN interface from the FortiGate
point of view, so we need to specify the dynamic address group for the different devices
groups/dynamic addresses.

Please note that form FortiSwitch level, the devices belong to their corresponding VLANs. We will see
during the verifications how this is achieved.

1. Navigate to Policy & Objects > Firewall Policy and create the following policies:

Applying the NAC configuration FortiSwitch's physical port

Once the NAC Policy has been created, we'll need to change the Mode on the physical port of the
FortiSwitch.

1. Navigate to WiFi & Switch Controller > FortiSwitch ports. expand FSW-HQ-3 -
S108DVOJL3EKH946:

2. Select Port4, change the mode to NAC, by using right click to display the options:

23
Testing & Verification

Now that the NAC mode has been applied to the FortiSwitch port, connected device will be re-evaluated.
the device would be assigned to onboarding VLAN prior to it being matched by a NAC Policy and it
would be listed under onboarding on CLI with all the associated details.

Known (or Matched) NAC Devices: Once the connected device have been matched a NAC Policy, it will
be assigned a VLAN according to the Policy and disabled as Matched Devices on GUI & known on CLI
with all the associated details.

NOTE: The NAC policies are evaluated from top-down on a first-match approach, so the most specific
policies should be set at the top.

Check the onboarding status for the connected device.

1. From FGT CLI, use this command to confirm that the Ubuntu client is under Onboarding status:
diagnose switch-controller mac-device nac onboarding

As you see, the connected device to FSW-HQ-3 (S108DVOJL3EKH946) port 4 is under

onboarding status, it should be assigned to the onboarding VLAN 4089 from FSW side.

2. Navigate to WiFi & Switch Controller > FortiSwitch Ports, expand FSW-HQ-3 -
S108DVOJL3EKH946. check the native VLAN assigned to the port 4:

24
3. Open the display for Host-2 to access the Ubuntu client and check the IP address assigned to it.

- Open QTerminal from System Tools Menu. use the following command to display the
adapter details: ip addr show dev ens4

- The client should be assigned an IP from the nac_segment VLAN interface

(10.255.13.0/24). Please remember the assigned IP address to the client.

- Since we have no Firewall policy created to allow any access to the Onboarding LAN
Segment, the client shouldn’t be able to access the internet. Try to ping www.fortinet .com
the ping should fail.

25
Check the Matched NAC Policy for the connected device.

1. Navigate to WiFi & Switch Controller > NAC Policies, enable Ubuntu NAC Segment Policy.

2. From FGT CLI, use this command to confirm that the Ubuntu client is under known status:
diagnose switch-controller mac-device nac known

As you see, the connected device to FSW-HQ-3 (S108DVOJL3EKH946) port 4 is matching

Ubuntu NAC Segment Policy. it should be assigned to the Ubuntu_Segment VLAN 4000 from
FSW side.

3. Navigate to WiFi & Switch Controller > FortiSwitch Ports, expand FSW-HQ-3 -
S108DVOJL3EKH946. check the Dynamic VLAN assigned to the port 4:

NOTE: It might take up to 1-2 mins to display the dynamic VLAN to a switch port on FGT
GUI.

To see the Dynamic VLAN associated to the client via CLI, you need to login to FSW CLI. Go to
WiFi & Switch Controller > Managed FortiSwitches, access the FSW-HQ-3 CLI from the
FortiGate and execute the following commands: # show switch vlan 4000

26
 NOTE: If you access the FSW CLI for 1st time, here’s no default password. Just click enter & set
the password to fortinet

4. Open the display for Host-2 to access the Ubuntu client and check the IP address assigned to it.

- Open QTerminal from System Tools Menu. use the following command to display the
adapter details: ip addr show dev ens4

- As you noticed, there’s no change in the IP address assigned to the host. The host moved
from Oboarding VLAN to Ubuntu_Segment wihile the IP remains the same.

- Try to ping www.fortinet .com the ping should success since the Firewall policy allowed the
dynamic address associated with Ubuntu_Segment to access the Internet.

27
TIP: The following command in FGT can help you to determine the available device categories and
identify devices to add to a device policy. Use diagnose user device get <Device MAC> command.

FG_HQ # diagnose user device get 02:09:0f:00:0e:04

vd root/0 02:09:0f:00:0e:04 gen 69 req HU/18

created 22516s gen 9 seen 14s nac_segment gen 8
os 'Ubuntu' src dhcp id 3255 weight 128
host 'lubuntu' src dhcp

FG_HQ #

28
Lab 4: Managing FortiSwitches on VXLAN Interfaces
One of the key benefits of having the FortiSwitch managed by the FortiGate is the unmatched end-to-end
visibility provided by FortiLink when a FortiSwitch is managed. This can be a challenge over a Layer-3
network especially if you have more than one FortiSwitch within your remote FortiSwitch Island.

From FortiOS & FortiSwitch v7.2 onwards, Virtual Extensible LAN (VXLAN) is supported on the
FortiSwitch (both Managed & Standalone). VXLAN interfaces can be used to create a layer-2 overlay
network when managing a FortiSwitch unit over a layer-3 network. After a VXLAN tunnel is set up
between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to
manage the FortiSwitch units.

In this lab, we will go through some of the steps needed to configure Software-VXLAN connectivity
between a FortiGate & a FortiSwitch over a Layer-3 Network.

*FortiLink + VXLAN config are by-and-large configurable only from CLI at the moment.
** In this lab, we will only be working on software-VXLAN (Control Plane traffic only) due to the
limitation with FSW-VM. We do support both software & hardware-VXLAN on our FortiSwitches.
N
VXLA

29
Configuring L3 Router (fg-remote)

We will use a remote FortiGate as a L3 router only.

1. Configure port2 with:

• IP/Netmask: 172.168.88.1/24
• Administrative Access : HTTPS, HTTP, SSH & PING
Leave the rest as default

2. Create Staff VLAN on FSW1_fol3(port2) with the following configurations:

• VLANID : 99
• IP/Netmask : 10.99.0.1/24
• DHCP Server : Enabled
• Administrative Access : HTTPS, HTTP, SSH & PING
Leave the rest as default

30
3. Create the following Firewall Policies based on the screenshot below:
a. Port1 -> Port2 – for VXLAN traffic in – NAT DISABLED
b. Port2 -> Port1 – for VXLAN traffic out – NAT DISABLED
c. Staff -> Internet – for testing & verification purposes

Configuring FortiSwitch (fsw-fol3-1)

Login to the fsw-fol3-1 via Console/SSH – VXLAN config is only configurable via CLI at the
moment

1. Create a VLAN to be used as VXLAN interface within fsw-fol3-1 CLI:

config system interface

edit "vlan888"
set ip 172.168.88.2 255.255.255.0
set vlanid 888
set interface "internal"
next
end

2. Configure VXLAN interface with FG-HQ’s port1 IP:

config system vxlan

edit "vx-4094"
set vni 123456
set vlanid 4094
set interface "vlan888"
set remote-ip "10.77.0.1"
next
end

3. Add a static route for VXLAN with remote VXLAN IP as the destination

config router static

edit 1
set device "vlan888"
set dst 10.77.0.1 255.255.255.255
set gateway 172.168.88.1
next
end

31
4. Enable FortiLink over L3 on the fsw-hol3-1 that’s connected to fg-remote. Fortilink over L3 is
configured to create an uplink trunk.

config switch interface

edit port1
set fortilink-l3-mode enable
end

5. Configure FortiLink trunk to static & disable auto-VLAN provisioning

config switch trunk

edit "__FoRtILnk0L3__"
set auto-isl 1
set static-isl enable
set static-isl-auto-vlan disable
set members "port1"
next
end

6. Set vlan888 as the native vlan for the FortiLink interface:

config switch interface

edit "__FoRtILnk0L3__"
set native-vlan 888
set allowed-vlans 1-4094
set dhcp-snooping trusted
next
end

7. Enable dhcp discovery in global switch-controller since we will have the FG HQ serving it from
the DHCP options through the VxLAN tunnel:

config switch-controller global

set ac-discovery-type dhcp
end

8. Assign VLAN ID 4094 to the internal interface which will be used to establish FortiLink
connection over VXLAN:

config switch interface

edit "internal"
set native-vlan 4094
next
end

32
Configuring FortiGate (FG-HQ)

Login to the FG-HQ via Console/SSH – VXLAN config is only configurable via CLI at the moment

1. Create a VXLAN interface on port1 & configure the remote IP of fsw-fol3-1:

config system vxlan

edit "fol3-vxlan"
set interface "port1"
set vni 123456
set remote-ip "172.168.88.2"
next
end
2. Enable FortiLink, set IP address to 10.188.0.1 (ac-list IP) & allowaccess to “ping fabric”:

config system interface

edit "fol3-vxlan"
set fortilink enable
set ip 10.188.0.1 255.255.255.0
set allowaccess ping fabric
next
end

3. Create a static route to fsw_fol3_1 via fg_remote:

config router static

edit 0
set dst 172.168.88.0 255.255.255.0
set gateway 10.77.0.6
set device "port1"
next

4. Configure the DHCP server with option 138 to provide the switch-controller IP address to the
FortiSwitch unit. DNS and NTP services are provided by the FortiGate device.

config system dhcp server

edit 0
set dns-service local
set ntp-service local
set default-gateway 10.188.0.1
set netmask 255.255.255.0
set interface "fol3-vxlan"
config ip-range
edit 1
set start-ip 10.188.0.2
set end-ip 10.188.0.254
next
end
config options
edit 1
set code 138
set type ip
set ip "10.188.0.1"
next
end

33
 set vci-match enable
set vci-string "FortiSwitch"
next

34
Test & Verification

1. Check and confirm that FSWs has been discovered. Click Authorize & wait for them to be
managed by fg_hq1. It may take up to 5 mins for the FSWs to be managed.

2. Rename both the FSWs to the corresponding unit.

35
3. VxLAN diagnostic on fg_hg1:

36
4. Push VLAN to fsw-hol3-2 with NAC Policy:

On fg-hq1:

i. Create Staff VLAN, under the fol3-vxlan Fortilink with the following configurations
• VLANID : 99
• IP/Netmask : 10.99.0.1/24
• DHCP Server : Disabled
• Administrative Access : HTTPS, HTTP, SSH & PING

37
ii. Create a NAC Policy with the following configurations:
• MAC Address – 02:09:0F:00:08:02 (this is the MAC of host4-fol3)
• Assign VLAN: Staff
• Bounce Port: Enabled

iii. Apply NAC Policy to Port5 of fsw-fol3-2 – host4-fol3-1 is connected to this port. Observe
the MAC address of connected host on port.

38
iv. Check to confirm that NAC Policy has been matched & Staff VLAN assigned to port5 of
fsw-hol3-2

On fsw-fol3-2:

i. Confirm this on fsw-fol3-2. VLAN 99 is now part of allowed vlans

On host4-fol3-1:

i. Confirm on host4-fol3-1 that the correct IP address (10.99.0.x) has been assigned to it &
it’s able to reach the internet
39
40
Lab 5: Security Fabric
To complete the setup, please config the Fabric connectors. Before you can do that, you
need to provide them with connectivity.

Create the VLAN backend_vlan, with any VLAN ID, but the IP subnet must
be 10.88.0.254/24, since the devices have static IPs configured.

And assign it to the appropriate FortiSwitch and FortiSwitch port in the topology, look
carefully, there are two of them. You can edit the port descriptions as well.

41
And apply a policy to allow them connect to the Internet and validate the licenses:

42
Configure the Security Fabric Setup

Configure the Security Fabric Setup. For that, create the FortiAnalyzer first, otherwise the
FortiGate will force you to choose the Cloud FAZ upon activation of the Security Fabric.

Click on "Test connectivity" and it will show "Unauthorized" for the moment. Click
OK, accept the Verify FortiAnalyzer Serial Number when prompted and continue.

Authorize the device on the FAZ before continuing. If you do not see the “unauthorized device”
notification in FAZ for a long time, reboot the VM. That should solve the issue.

43
Verify connectivity to FAZ with the Test Connectivity button.

Go back to Fabric Connectors > Security Fabric Setup. Set status to Enabled anc
choose Security Fabric Role for this FortiGate to be the Fabric Root. The security fabric

44
name is entered at this point. In the example screenshots is called Fortiswitch. Use the vlan
previously created for the fabric elements connectivity.

Configure the FortiManager

Configure the FortiManager IP 10.88.0.1 and accept the Serial Number validation.

45
You must authorize FortiGate from FortiManager:

You might see a warning indicating the FortiGate is having a different firmware version. It is actually
having the same 7.2.0 GA version as FortiManager, just the build number does not match. You can
safely ignore the warning by clicking OK.

46
Authorization is complete when the progress bar reaches 100% as in the screenshot below:

After configuring the FortiManager connector, you must log in with Read&Write access to
FortiGate, to continue to use FortiGate webui. Now all the basic devices should be up and
running:

The fabric configuration page should look similar to the screenshot below:

47
T

48
Configure the Radius (FortiAuthenticator)

Go to User&Authentication --> Radius. Configure the IP of the FortiAuthenticator

(10.88.0.3) and the secret word fortinet. The FAC is already pre-configured to accept Radius
requests from this FortiGate. Test the connectivity, it should say Successful

49
Test one user credentials: pc1/fortiswitch, it should return a successful login and the Radius
AV-Pairs with VLAN ID 250 (Tunnel-Private-Group-ID Value = 32 35 30)

Create a user groups with the Radius:

50
Now you can use this user group on a Security Policy for the 802.1X on the
FortiSwitches. Remember to create a policy from FortiLink to the Radius.

End of the workshop.

51
52
Appendix A: How to run the labs?

Access the FortiPoC instance with guest account (guest/cseguest). On the Dashboard, click
on the info icon to open the documentation containing detailed instructions on how to run
each demo, which is similar to this guide.

FortiSwitch Access:

FortiSwitch is controlled by FortiGate, there is no need to connect to its console, except for
FortiLink over Layer 3 Demo.

In case FortiSwitch is not responding, go to FortiPoC Dashboard à Action à Power Off,

then Power On.

Linux Endpoint Access:

host2, host4, host6, host8 and host9 are linux clients.

Access is via FortiPoC Dashboard. Connect to the FortiPoC instance with guest
account (guest/cseguest). On the Dashboard, select Access then DISPLAY.

53
SSH can also be used, see section Device SSH Access info

54