FortiGate: Software-/ Hardware-/ VLAN-Switch

I am still a bit confused about the different switch types a FortiGate firewall is able to handle. While there is a lot of information on the Internet about the “internal-switch-mode” of “switch/interface“, I have not found any good information about the differences between the “Hardware/Software/VLAN” switch types that are configured via the GUI or via the “virtual-switch-vlan enable” CLI command. Though I still don’t know exactly all differences, I am trying to explain some of them here.

Possibilities

This table lists the possible switch types. The first column shows the configured switch mode ( set internal-switch-mode {interface|switch} ), the second is the VLAN switch mode ( set virtual-switch-vlan {enable|disable} ), and the last column shows the possible switch types that can be configured within these scenarios (software, hardware, VLAN):

Switch Mode
set internal-switch-mode ...
VLAN Switch Mode
set virtual-switch-vlan ...
Switch Types
switchdisableSoftware Switch
switchenableSoftware Switch
interfacedisableHardware Switch
Software Switch
interfaceenableVLAN Switch
Software Switch

Mode: Switch or Interface

This is explained on many pages on the Internet and even on some official Fortinet documentation such as here. Mostly, you want the “interface” mode in which you can configure every interface on a FortiGate to be a unique layer-3 interface. Currently, when a FortiGate is factory reset, the default is “interface” mode:

 

Type: Software, Hardware, or VLAN

Now it’s getting a bit more interesting. As we have seen already, the software switch is present in any scenario, while the other ones are only possible in the “interface” mode. In any case, each created switch type must be configured with an IP address.

  • Software Switch: This is a logical (!) bound of interfaces of different types. It can be used if physical interfaces and WiFi interfaces/SSIDs/etc. should be bound together. (I am not sure, but it sounds like this switch type is controlled merely by the CPU. Maybe it’s not that fast compared to the hardware switch?)
  • Hardware Switch: A hardware switch bounds hardware interfaces together that are physically present on the same integrated switch. This is hardware dependent. Not all FortiGate firewalls can be configured in the same way for hardware switches.
  • VLAN Switch: This is a type of hardware switch that adds the VLAN ID to it. With this feature, it is possible to create a hardware switch within an already present VLAN on the network. This VLAN can be connected through another interface port in trunk mode to transport this VLAN to some other layer-2 switches.

I hope this bring a bit more understanding? Please write a comment if I missed something or explained something wrong.

Featured image “HP A5800 Switch Stack” by Johannes Weber is licensed under CC BY 2.0.

6 thoughts on “FortiGate: Software-/ Hardware-/ VLAN-Switch

  1. Sorry, but does not help at all. The only thing you did here was repeat the basic info in Fortigate docs. But how/when to actually use and combine the switch types remains a mystery. As example, what switch type is required to set a native vlan tag in a hardware (or software) switch with multiple VLAN switches attached?

    1. Some older model of Fortigate firewall only support “all” port as “interface mode” or “all” port as “switch mode”, like model 50b, 50c, 50d, 60b, 60c, 60d, in these models, you cannot control every “single” port.

      In you case , Who/When ?
      if you want to let port1 and port2 work as “interface mode”, let port3 and port 4 as “switch mode” and have some vlan in port 3 and port 4, these models cannot support this solution, so Fortinet company use “software switch mode” technical to solve this not support problem, in “software switch”, you can set port 1 and port 2 as “interface mode” called “sw0”,set port 3 and port 4 as “switch mode ” called “sw1”, create vlan interface called vlan1 and vlan2 then binding to sw1, finally set to work for inbound or outbound in firewall policy.

    1. ;) Sorry that I failed in making it clearer. It was my approach in bringing some light to the misconceptions from Fortinet… Not easy at all.

  2. Hello Johannes,
    you didn’t fail, at least in my case it helped. To be honest I find this matter very confusing and FortiNets documentation and naming conventions a disgrace. Regards Ueli

Leave a Reply

Your email address will not be published. Required fields are marked *