FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to trace which switch-interface of FortiGate goes to which interface of FortiSwitch if physical cable tracing is not available.
In this example, 2 FortiGate is in the HA cluster. The FortiLink (x1 and x2) interface is connected to 2 FortiSwitches.
Scope
FortiGate.
Solution
Get the MAC address of the FortiSwitch interface to trace:
diagnose switch physical-ports list diagnose switch physical-ports list [<port_name>]
Once the MAC-address of the FortiSwitch interface is obtained, trace it on which interface it is present on each FortiGate cluster member.
diagnose netlink brctl name host fortilink diagnose netlink brctl name host fortilink | grep -i <mac:address:to:filter>
Note:
'get sys arp' will not be sufficient because it will show the switch-interface instead and not the particular interface.
Do the same approach on the Secondary FortiGate to trace the interface used. To log to the Secondary FortiGate and trace the interface used also, use the command mentioned in the below KB article: Technical Tip: How to access secondary unit of HA cluster via CLI
