FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff
Article Id 193893

Description

 
This article describes the steps to create a VLAN interface (802.1q tag) on a FortiGate.

Scope
 
Any FortiGate.


Solution

 
Note about traffic tagging:
A VLAN interface is attached to a physical interface. 
When the FortiGate sends out traffic to the physical interface level, the egress packets are untagged, whereas the packets sent on a VLAN level are tagged.
 
If on a particular VLAN there are destination devices in the network that do not accept tagged packets, it will be required to connect the FortiGate to an intermediate L2 unit (a switch for example) configured with the same VLAN(s).

Below is an example structure with a FortiGate with VLAN id 1 attached to port1:
 
[ FortiGate ]  ---- port1 ----->  untagged packets
                    ----VLAN1 (on port1) ----->  tagged packets
 
Configuration steps to add the VLAN 100 to the physical interface port1 through both the CLI and GUI are provided in this article. The VLAN will be named My_VLAN_100.
 
Notes:
 
- Once created, this interface is subject to the same rules as physical interfaces. Firewall Policies must be defined to allow/deny traffic to/from this interface, and other common objects like Firewall Address can be assigned to it.
 
- The physical interface on which a VLAN is attached does not require any IP address settings.
 
- The VLAN ID range is from 1 to 4094. VLAN ID of 0 is reserved for high-priority frames, and 4095 is reserved.
 
Configuration steps  from the GUI:

1) Go to System -> Network and select 'Create New' -> 'Interface'.

AlexCFTNT_0-1671696297386.png

 

 

2) Give a Name to the VLAN interface.


3) Choose the physical interface on which to attach the VLAN.

 

4) Give the desired VLAN ID. All other fields depend on individual requirements, such as IP address and ping server.


5) After completing the above steps, select 'Ok' to save the new VLAN interface.

 

AlexCFTNT_2-1671696559984.png

 

To verify, check the interface in System -> Network > Interfaces, by expanding the physical port. There it should be seen the new VLAN displayed:

 

AlexCFTNT_3-1671696701797.png


Configuration steps in the CLI for the above VLAN:

 

# config system interface
    edit "My_VLAN_100"
        set vdom root
        set ip 192.168.100.1/24
        set interface internal1
        set vlanid 100
    next
end

 

Related Articles:

Troubleshooting Tip: Using the FortiGate sniffer on VLAN interfaces

Technical Tip: rules about VLAN configuration and VDOM interface assignment

Comments
crao
Staff
Staff

Thanks for documenting.