Hi Fortinet Guru, it's nice to see some hints and tips from you, I'm mainly working on the bigger devices in an enterprise environment. (FG1100, FG1800 and upwards) It's sometimes very helpful to see some ideas from a different side of view, it's helps in daily work. Thanks for sharing !
There were a lot of helpful tidbits of knowledge in here! I really appreciate it, especially since I'll be deploying stacks just like what you have shown.
Have been following your blog and videos. Excellent walk through! Deployed my first full Fortinet Stack (101F configured in a ring mode on the 10G interfaces 2x FS148F-PoE w/10x FortiAP-231E) All i can say is that the video doesn't do justice what the whole solution can actually do. For my client's request, i got to see first hand how powerful the whole integration is. Being able to see devices is one thing, the FortiAP is pretty decent, as its able to also monitor the air in real time for the 231E (yes they even have the meraki spectrum analysis!). Roaming wasn't a problem and didn't require much configuration which i'm quite surprised coming from deploying Ubiquiti/Ruckus/Aruba. I just hope Fortinet has better QC on their Fortigate's firmware.
That was a great explanation of all of that. I have the 60F, 124PoE, 221E, and a 222E and have just started working at dialing all of this stuff in on my home network. My 60F uploads to my office Fortianalyzer. I can police the kids and keep them off youtube and stuff, and shut off the netflix at night so they actually go to bed. I'd like to see some policy building, as I had a hard time getting the chromebooks locked down.
Thanks for this great teaser of fortinet full stack 👍 I don't know if you already have this video but if you have time can you also discuss multi tenancy capabilities of fortinet firewall, like vdoms/vrf. I'm just collecting use cases that may help us build a network as service provider, currently reviewing fortinet as firewall for this project.. Hope to hear some inputs..🙂 cheers 👍👏 keep it up
WOW, Amazing!I work an LAB with 2 FortiGate 60F and 2 FortiSwitch 124F and 4 AP231F What ist the best prec. for 100% HA Stack? Would you pleae so kind and give me a view hints?
Hello Mike, I have watched a lot of your videos! You are doing a great job, thanks for that! I have a similar setup at home right now, unfortunately without multiple internet connections. Is there a possibility that you created a video regarding FortiSwitch NAC Policies and FortiSwitch Security Policies within this setup? Thank you! Keep up the good work! Regards!
Great Video......followed your video but noticed with my FortiAP 231F I’m not getting anything faster then 100MB download. I do have a 1gig connection. Wired connections I have no issues. Any thoughts?
It’s personal preference / scalability. I have situations where I use the second octet (when proposed future branches are smaller than 256). Otherwise, the third octet enables up to 2500 (although smaller potential subnets) branches
I challenge your subnet and vlan design. The second octet should be the site identifier while the 3rd is for the VLAN ID. Maybe you said it wrong @ 12:20
Fortinet are awesome. Beats the like of Sophos, Juniper, barracuda and Watchguard. I want this technology and its a solutions will help ALL the small and mid size now and the future. Where can i learn more.
Thanks a lot for sharing your knowledge. I have been watching your videos for weeks/month now. And thanks to you I decided to buy a full stack (FG/FS/AP - Book) a week ago for myself and it seems this video came at the perfect moment. Since you mention other brand at the start of your video, I was wondering, even tho Fortinet seems way more advanced and reliable than many brand atm do you think installing Unifi or Edge for very small office is a good idea ? Anyway thanks again for sharing !!!!
Nice video! One question though: As I understand from the example in the video, the fortiswitch is handling the L3. But is the Fortigate then still able to check traffic between l3 vlans?
Love the content!! What issues have you run into if you don't daisy-chain the switches, but connect them all directly to the firewall and "trunk" them from there?
Great video! I am currently running a 60f and a 231f at home in a home lab. I have been thinking about adding a switch. I have a small network with only 5 wired devices (including the AP) so I was thinking the 108e PoE would be fine, but do you think the 124e PoE is worth the extra cost for future proofing?
@@FortinetGuru I currently only have a few devices and don't have a plan for too many more right now, so was thinking the 8 port would be good and save on cost and I could always upgrade it later if needed. I just wasn't sure if the 24 poet had any better components that made it perform better.
Any chance on a FortiEDR review? in light of all the latest outbreaks, would be a good time to talk about Fortinets offering compared to crowdstrike, S1, etc
I noticed the warning "Security Fabric Connection is disabled" but obviously you are running security fabric? I seem to recall full fabric needs a FortiAnalyzer, is that so and why if so?
To run the full security fabric you do need the analyzer in order for it to hold and do all of the correlations and data associations. Otherwise, the FortiGate can't hold enough data to maintain the database.
Can you please explore more of the lldp med thing and the logic of the allowed / native thing? How do you decide which port is a trunk port? Or basically it does dot1q and you just decide the native
what is a perimeter firewall ? please can someone answer me ! I have been hearing this word from so long, but still dont have a clue , whats a "perimeter" firewall
Perimeter firewall, also known as the edge firewall. It provides security and such at the edge of a network going out to the world. ISFW (internal segmentation firewalls) provide more specific security services WITHIN the infrastructure (think along the lines of keeping accounting stuff only visible to them etc)
Hello! Great video! One question though: I am testing out a similar setup with a FG-40F and have some issues in that the VLANs created on the FortiSwtich are not "easily" used on the FortiGate, meaning that I can not use a FortiSwitch VLAN on the FortiGate internal ports...seems like the two devices can't use the same VLANs? Any thoughts / feedback on that and how to use the some VLANs on both devices and possible to configure FortiGate with VLANs from Fortiswitch?
I recommend keeping all VLANs on the FortiSwitch interface and switches. The ports on the FortiGate itself I only use for Fortilink access honestly. You can do Software switches to group ports and interfaces together but then you lose hardware acceleration.
Great video and just on time as I am preparing to deploy full stack. Video proposal: Trusted CA certificate for deep SSL inspection. Can you recommend any commercial SSL certificate? First certificate I bought has CA:FALSE parameter and I am having problems finding certificate provider that will work for deep inspection and does not cost 200$. Is there any 20$ certificate on the market that will do the job?
We are using that on an 1100e, experience memory leak issues which does follow through till 7 and all fortinet support has advised is to kill wad proxy process… one of the worst support experience we have in a mixed vendor environment, no one else can take that crown..
I currently have this... [FGT-61F]──(LAN-AGG (Fortilink))──(Ports 2+3+4+5Ports 25+26+27+28)──[FSW-124E-FPOE]──(Ports 23+24Ports 9+10)──[FSW-108E-FPOE] I want to do this... ┌──(Ports A+BPorts 9+10)─────[FSW-108E-FPOE] [FGT-61F]──(LAN-AGG (Fortilink))─┤ └──(Ports 2+3+4+5Ports 25+26+27+28)──[FSW-124E-FPOE] Is this possible with FortiLink split interface? Per the research I have done, things keep pointing to MCLAG but I don't want to complicate things. Any advice?
Depends on the model really. 40F/60F has single radio. 80F has 3 radios (2 to serve customer +1 scanning). There was also a 50e-2r model with 2radios, but it's probably eos now.
Mike, if you don't mind answering a dumb question for me. My internal LAN is 192.168.70.x. I have a gateway to gateway VPN to 192.168.1.x. My Data vlan is 10.70.10.x and is part of my INSIDE zone. Firewall policy for INSIDE>VPN is set to allow traffic. I am assuming my static route need to also be set for the 10.70.10.0/24 network, but how? Following this video, I have my VLANs working like yours (Data and Guest, I have no voice) but computers on my Data vlan can't reach the remote end of the VPN.
in FortiSwitch how to set port to accept ip phone with VOICE vlan40 and DATA in vlan30 because switch port > ip phone > pc all connected to switch using 1 ethernet port
Did you have a problem where Access Points Randomly disconnect from Controller? we have 2 networks of about 150 APs each and it happens all the time. Every week there is at least 5 Disconnected AP.
What FOS are you running on the FortiGate? What are your L2 Switches? any duplicate IP/DHCP Exhaustion? When then are "disconnected" can you ping/SSH etc to the devices?
I have the same Fortinet stack connecting my Fortigate to FortiSwtich via FortiLink Interface A and from FortiSwitch PoE connection to FortiAP 221E. Using the 7.2.4 firmware on FG & FS. But I am getting rid of FortiSwitch and ForiAP as the switch is highly unreliable when connecting via FortiLink. The Fortilink between the Fortigate and FortiSwitch will drop to 100mbps despite replacing with brand new Cat 6E cables. And the only way to resolve the issue was to hard reset the switch. After reset and re-established the FortiLink, the same cable that was reporting 100mbps suddenly becomes 1Gbps. But on and off the Fortigate will report the authorized FortiSwitch is Offline. And I had to hard reset, authorized the switch and everything become normal again. The FortiAP wifi performance also sucks as my client will complain about the slow speed when connected to it. I had checked all the configs and the thing is a Asus home AP is more reliable then the more expensive FAP. I am keeping the Fortigate as it's very reliable in my opinion. Already ordered Unifi switch and U6E AP to replace my FortiSwitch and FortiAP. Will be testing them together with Fortigate before deploying them to Production sites. Give up hopes for FortiSwitch and FortiAP. Sad.
Dziękujemy.
I have a Fortinet Full Stack at my house, and it's pretty cool.
Hi Fortinet Guru, it's nice to see some hints and tips from you, I'm mainly working on the bigger devices in an enterprise environment. (FG1100, FG1800 and upwards)
It's sometimes very helpful to see some ideas from a different side of view, it's helps in daily work. Thanks for sharing !
There were a lot of helpful tidbits of knowledge in here! I really appreciate it, especially since I'll be deploying stacks just like what you have shown.
Thanks! That was a great brief description of getting the stack up and running.
Have been following your blog and videos. Excellent walk through!
Deployed my first full Fortinet Stack (101F configured in a ring mode on the 10G interfaces 2x FS148F-PoE w/10x FortiAP-231E)
All i can say is that the video doesn't do justice what the whole solution can actually do.
For my client's request, i got to see first hand how powerful the whole integration is. Being able to see devices is one thing, the FortiAP is pretty decent, as its able to also monitor the air in real time for the 231E (yes they even have the meraki spectrum analysis!). Roaming wasn't a problem and didn't require much configuration which i'm quite surprised coming from deploying Ubiquiti/Ruckus/Aruba.
I just hope Fortinet has better QC on their Fortigate's firmware.
The visibility is wonderful and helps people out a lot! I am a big fan of it. I do hope for higher QC on the firmware.
Thanks for the impressive and simple introduction! Great stuff. Makes a lot of sense in that "Forti-Universe". Thanks!
I love your videos. The one brilliant source of fortiknowledge.
Just what I needed. Thank you so much.
The way you explain things succinctly needs to be studied! For real thank you Mikey!
Brief introduction. Thanks a lot.
Giving this a go tomorrow, can't wait makes a lot of sense Thank you
That was a great explanation of all of that. I have the 60F, 124PoE, 221E, and a 222E and have just started working at dialing all of this stuff in on my home network. My 60F uploads to my office Fortianalyzer. I can police the kids and keep them off youtube and stuff, and shut off the netflix at night so they actually go to bed. I'd like to see some policy building, as I had a hard time getting the chromebooks locked down.
Thanks for this great teaser of fortinet full stack 👍
I don't know if you already have this video but if you have time can you also discuss multi tenancy capabilities of fortinet firewall, like vdoms/vrf.
I'm just collecting use cases that may help us build a network as service provider, currently reviewing fortinet as firewall for this project..
Hope to hear some inputs..🙂 cheers 👍👏 keep it up
We just upgraded from a Juniper To Fortigate 100e..we are now going waiting to receive 4 FORTINET POE switches
As always, great videos!
Hey long time no see a new video...! Missed your excellent videos!!!
First time watching you video; love it. Now a subscriber
Alright mate are you still going to do the video of cisco vs fortinet like you did with checkpoint and palo alto that was really good stuff 👍
Will check it out.
Am I right that if I use tunnel mode SSIDs then I will not be able to see Wi-Fi clients from FortiSwitch Ports view, as it is on 23:24?
Tks for your video, I have a question: what is different between using port with fortilink(a&b) and normal port to connect to Fortiswitch?
How’s the performance of the AP against Meraki & Ruckus?
Love the shirt bro.
Thank you!
Great video! Do you have any FortiNAC demo and/review videos?
That is really helpful. Thank you so much!
WOW, Amazing!I work an LAB with 2 FortiGate 60F and 2 FortiSwitch 124F and 4 AP231F What ist the best prec. for 100% HA Stack? Would you pleae so kind and give me a view hints?
Hello Mike, I have watched a lot of your videos! You are doing a great job, thanks for that!
I have a similar setup at home right now, unfortunately without multiple internet connections.
Is there a possibility that you created a video regarding FortiSwitch NAC Policies and FortiSwitch Security Policies within this setup? Thank you!
Keep up the good work! Regards!
Let me see what I can do!
it is really nice and helpful
Thanks for sharing sir!
Great content learned plenty.
I've wanted to try a Fortinet firewall, but the licenses are expensive for a home lab :(
same here
Great Video......followed your video but noticed with my FortiAP 231F I’m not getting anything faster then 100MB download. I do have a 1gig connection. Wired connections I have no issues. Any thoughts?
Are you using Capwap by any chance? Some smaller/older FGT models can‘t offload Capwap and CPU speed will limit the throughput.
Use Appropriate fortiSwitch
Great video, just curious why would you use the 3rd octet as your site identifier instead of the 2nd octet which makes alot more sense.
It’s personal preference / scalability. I have situations where I use the second octet (when proposed future branches are smaller than 256). Otherwise, the third octet enables up to 2500 (although smaller potential subnets) branches
I challenge your subnet and vlan design. The second octet should be the site identifier while the 3rd is for the VLAN ID. Maybe you said it wrong @ 12:20
You lose the ability to do any summary routes . Give a site /16 and slice it up
Fortinet are awesome. Beats the like of Sophos, Juniper, barracuda and Watchguard. I want this technology and its a solutions will help ALL the small and mid size now and the future. Where can i learn more.
This was a great video! Thank you so much!!
Hi Fortinet Guru, can toy stack fortinet switches with DAC cabels? if so, can you advertise a short brief of how to. thanks in advance. Tomer
So great video!
I would like to know how to configure FWF -> FAP in a mesh environment wireless mesh with VLAN
Any ideas on the fortiextenders?
They work ok. I only use them for failover
Us too. Horrible reboot issues, seem fixed after 2 SW updates. modems would disconnect, til poe reboot. sometimes 17 a day.
Great Video!
I want to buy that t-shirt!!!! Where can I get it? Thankfully same applies here in Panama, Central America
I have 100f , and need to switch over from the wan interface port to an sfp port. How would you proceed?
How would you do your vlans if you have your fw interfaces configured to handle the DHCP?
My vlans themselves would handle the dhcp so no other edits would be necessary other than defining parameters.
Thanks a lot for sharing your knowledge.
I have been watching your videos for weeks/month now. And thanks to you I decided to buy a full stack (FG/FS/AP - Book) a week ago for myself and it seems this video came at the perfect moment.
Since you mention other brand at the start of your video, I was wondering, even tho Fortinet seems way more advanced and reliable than many brand atm do you think installing Unifi or Edge for very small office is a good idea ?
Anyway thanks again for sharing !!!!
Nice video! One question though: As I understand from the example in the video, the fortiswitch is handling the L3. But is the Fortigate then still able to check traffic between l3 vlans?
The fortigate will be handling all routing and access control.
Great
Hey man, you are pretty good at explaining things. Ever thought of doing a NS course? Heaps of CCNA YT focused channels around. Just a thought.
Great video!! You make it easier to understand. Hey, do you know how to split an SD-WAN to share WAN1 through LAN port 2? Just a thought.
how to get a tshit like that ?
I loved your T-shirt 😂❤
I wonder if he has hoodies for sale with the same slogan?
@@lkfng i do too..
love from china...
Love the content!!
What issues have you run into if you don't daisy-chain the switches, but connect them all directly to the firewall and "trunk" them from there?
Great video! I am currently running a 60f and a 231f at home in a home lab. I have been thinking about adding a switch. I have a small network with only 5 wired devices (including the AP) so I was thinking the 108e PoE would be fine, but do you think the 124e PoE is worth the extra cost for future proofing?
Depends on your port density needs. It would meet your future requirements tho.
@@FortinetGuru I currently only have a few devices and don't have a plan for too many more right now, so was thinking the 8 port would be good and save on cost and I could always upgrade it later if needed. I just wasn't sure if the 24 poet had any better components that made it perform better.
Any chance on a FortiEDR review? in light of all the latest outbreaks, would be a good time to talk about Fortinets offering compared to crowdstrike, S1, etc
How can I contact you so I can ask for some advice? I’m in CA
I noticed the warning "Security Fabric Connection is disabled" but obviously you are running security fabric? I seem to recall full fabric needs a FortiAnalyzer, is that so and why if so?
To run the full security fabric you do need the analyzer in order for it to hold and do all of the correlations and data associations. Otherwise, the FortiGate can't hold enough data to maintain the database.
how can you add fortigate hardware switch ports to the fortiswitch vlan after the fortilink
is up and running ?
Depending on how your fortilink interface is configured you can add and removal physical interfaces to it.
Can you please explore more of the lldp med thing and the logic of the allowed / native thing? How do you decide which port is a trunk port? Or basically it does dot1q and you just decide the native
what is a perimeter firewall ? please can someone answer me ! I have been hearing this word from so long, but still dont have a clue , whats a "perimeter" firewall
Perimeter firewall, also known as the edge firewall. It provides security and such at the edge of a network going out to the world. ISFW (internal segmentation firewalls) provide more specific security services WITHIN the infrastructure (think along the lines of keeping accounting stuff only visible to them etc)
Hello! Great video! One question though: I am testing out a similar setup with a FG-40F and have some issues in that the VLANs created on the FortiSwtich are not "easily" used on the FortiGate, meaning that I can not use a FortiSwitch VLAN on the FortiGate internal ports...seems like the two devices can't use the same VLANs? Any thoughts / feedback on that and how to use the some VLANs on both devices and possible to configure FortiGate with VLANs from Fortiswitch?
I recommend keeping all VLANs on the FortiSwitch interface and switches. The ports on the FortiGate itself I only use for Fortilink access honestly.
You can do Software switches to group ports and interfaces together but then you lose hardware acceleration.
Do you have url to the compatibility matrix regarding upgrade? I have also run into issues when upgrading fortigate with fortiswitch via fortilink
Google Fortilink Compatibility Matrix and you are set
Great video and just on time as I am preparing to deploy full stack. Video proposal: Trusted CA certificate for deep SSL inspection. Can you recommend any commercial SSL certificate? First certificate I bought has CA:FALSE parameter and I am having problems finding certificate provider that will work for deep inspection and does not cost 200$. Is there any 20$ certificate on the market that will do the job?
I love security fabric . Well done Fortinet, the best environnement ! ❤
Do you work for fortinet?
Nope
Is 6.4.6 considered stable now? I was considering upgrading from 6.2.1 to 6.2.8 on my 301E and 501E.
I’m running 6.4.6 on most gear now
@@FortinetGuru Thanks for the feedback. I'll test it out.
We are using that on an 1100e, experience memory leak issues which does follow through till 7 and all fortinet support has advised is to kill wad proxy process… one of the worst support experience we have in a mixed vendor environment, no one else can take that crown..
Hey Mike, have you completed your NSE 8 exam? Your content is very helpful.
I currently have this...
[FGT-61F]──(LAN-AGG (Fortilink))──(Ports 2+3+4+5Ports 25+26+27+28)──[FSW-124E-FPOE]──(Ports 23+24Ports 9+10)──[FSW-108E-FPOE]
I want to do this...
┌──(Ports A+BPorts 9+10)─────[FSW-108E-FPOE]
[FGT-61F]──(LAN-AGG (Fortilink))─┤
└──(Ports 2+3+4+5Ports 25+26+27+28)──[FSW-124E-FPOE]
Is this possible with FortiLink split interface? Per the research I have done, things keep pointing to MCLAG but I don't want to complicate things. Any advice?
The AP on the FortiWiFi only has one radio, so can only run either 2.4ghz or 5ghz.
Depends on the model really. 40F/60F has single radio. 80F has 3 radios (2 to serve customer +1 scanning). There was also a 50e-2r model with 2radios, but it's probably eos now.
Mike, if you don't mind answering a dumb question for me. My internal LAN is 192.168.70.x. I have a gateway to gateway VPN to 192.168.1.x. My Data vlan is 10.70.10.x and is part of my INSIDE zone. Firewall policy for INSIDE>VPN is set to allow traffic. I am assuming my static route need to also be set for the 10.70.10.0/24 network, but how? Following this video, I have my VLANs working like yours (Data and Guest, I have no voice) but computers on my Data vlan can't reach the remote end of the VPN.
in FortiSwitch how to set port to accept ip phone with VOICE vlan40 and DATA in vlan30
because switch port > ip phone > pc all connected to switch using 1 ethernet port
Hi any spare REG REF you could borrow me ? thanks
The last ports on all switches LAN devices should always be your uplink ports it is best practice really
It is how I like to do it. If you have a standard and it works and is repeatable ultimately it will work fine.
Can someone help with fqdn as I need to learn to to acess PCs with host name instead of IP when using Vpn
This pairs perfectly with Microsoft 365 services, two exceptionally seamless technologies.
The UTP cable that's comes with the fortiSwitsh or FortiGate esa WHITE, NOT yellow
Astute observation there sir.
The vedio is not clear my friend
Did you have a problem where Access Points Randomly disconnect from Controller? we have 2 networks of about 150 APs each and it happens all the time. Every week there is at least 5 Disconnected AP.
Negative. What version of code and what model of AP / Gate?
What FOS are you running on the FortiGate? What are your L2 Switches? any duplicate IP/DHCP Exhaustion? When then are "disconnected" can you ping/SSH etc to the devices?
Mikrotik works better than fortinet)
Palo is better
First 😂
What a shitty products. It is probably great for SOHO, but Fortinet has really weak IPS.
That thing is junk and nothing but problems. I went back to Cisco stuff
I have the same Fortinet stack connecting my Fortigate to FortiSwtich via FortiLink Interface A and from FortiSwitch PoE connection to FortiAP 221E. Using the 7.2.4 firmware on FG & FS. But I am getting rid of FortiSwitch and ForiAP as the switch is highly unreliable when connecting via FortiLink. The Fortilink between the Fortigate and FortiSwitch will drop to 100mbps despite replacing with brand new Cat 6E cables. And the only way to resolve the issue was to hard reset the switch. After reset and re-established the FortiLink, the same cable that was reporting 100mbps suddenly becomes 1Gbps. But on and off the Fortigate will report the authorized FortiSwitch is Offline. And I had to hard reset, authorized the switch and everything become normal again. The FortiAP wifi performance also sucks as my client will complain about the slow speed when connected to it. I had checked all the configs and the thing is a Asus home AP is more reliable then the more expensive FAP. I am keeping the Fortigate as it's very reliable in my opinion. Already ordered Unifi switch and U6E AP to replace my FortiSwitch and FortiAP. Will be testing them together with Fortigate before deploying them to Production sites. Give up hopes for FortiSwitch and FortiAP. Sad.
you missed mikrotik!