This article describes the steps required to setup a Hyper-V based FortiGate-VM to support FortiLink/FortiSwitch management. This article assumes that the base FortiGate-VM has already been deployed to Hyper-V and is ready to be adjusted to accommodate FortiLink connectivity requirements (see: Technical Tip: Deploy FortiGate VM in Hyper-V on Windows 10).
Note: this article may contain configuration references and recommendations for third-party products. It is kindly advised to thoroughly examine these details and liaise with the relevant support teams within the organization to ensure proper assistance during the implementation process.
Table of Contents
- Scope
- Solution
- Step 1: Modify the Virtual Network Adapter in Hyper-V that is associated with the FortiGate-VM’s FortiLink interface and set it to Trunk mode.
- Step 2: Reboot the FortiGate-VM (Optional but Recommended).
- Step 3: Enable Switch-Controller on the FortiGate-VM.
- Step 4: Configure FortiLink interface on the FortiGate-VM
- Conclusion
Scope
- FortiGate-VM, Hyper-V.
- FortiLink/Managed FortiSwitch.
Solution
Step 1: Modify the Virtual Network Adapter in Hyper-V that is associated with the FortiGate-VM’s FortiLink interface and set it to Trunk mode.
This change is required on the Hyper-V host to allow the FortiGate-VM to send both untagged and VLAN-tagged frames via the Virtual Network Adapter (untagged for FortiLink management traffic, tagged for user traffic).
To do this, open a Powershell prompt on the Hyper-V host with Administrator privilege and run the following cmdlet:
Set-VMNetworkAdapterVLAN -VMName <Name of FortiGate VM> -VMNetworkAdapterName <Virtual Interface Name> -Trunk -NativeVlanId 0 -AllowedVlanIdList 1-4094
The above command performs the following:
- Modifies the specified named interface for the specified virtual machine and sets it to Trunk mode (default mode is Untagged).
- Sets the Native VLAN ID to 0 (untagged). This allows Hyper-V to receive untagged traffic sent out by the FortiGate and forward it out the Virtual Switch as untagged traffic (as opposed to Hyper-V receiving tagged traffic and then forwarding it as untagged).
- Sets the range of Allowed (tagged) VLANs to include everything in-between VLAN 1 and VLAN 4094.
NOTE: The above assumes that a unique name has been assigned to each Network Adapter for the Virtual Machine. If that is not true then a more complex Powershell script may be required to identify the specific VMNetworkAdapterBase[] object that needs to be manipulated. For example:
$adapter = Get-VMNetworkAdapter -VMName <Name of FortiGate VM> | Where-Object -Property <property> -eq <unique value for that adapter> Set-VMNetworkAdapterVlan -VMNetworkAdapter $adapter -Trunk -NativeVlanId 0 -AllowedVlanIdList 1-4094
Step 2: Reboot the FortiGate-VM (Optional but Recommended).
After making the Powershell changes described in Step 1, it is recommended to reboot the Virtual Machine in order to avoid potential networking issues related to Hyper-V.
For example, during lab testing it was found that the FortiGate-VM (acting as a DHCP Server for FortiLink) was not working correctly immediately after changing the Virtual Network Interface from Untagged to Trunk mode on Hyper-V. The FortiSwitch would send an untagged DHCP Request to the FortiGate-VM, and the FortiGate would respond with an untagged DHCP Offer. However, the FortiSwitch would never receive this DHCP Offer and would thus never be assigned an IP address (which prevents FortiLink from being established).
The FortiGate-VM should be restarted via the FortiOS GUI or CLI if possible, but it is also fine to Shut Down/Start the Virtual Machine from Hyper-V.
If the Powershell change in Step 1 is done on a powered-down VM then this step may not be required.
Step 3: Enable Switch-Controller on the FortiGate-VM.
By default the Switch Controller is not visible in the FortiOS GUI. To enable it, go to the CLI and enable the following option:
config system global set switch-controller enable end
Step 4: Configure FortiLink interface on the FortiGate-VM
By default, the ‘fortilink’ interface exists on the FortiGate-VM as an Aggregate-type interface set for lacp-mode static. This option works fine, though a Software Switch can be used as an alternative option.
If the original fortilink interface has been deleted then a new one can be created by going to WiFi & Switch Controller -> FortiLink Interface and creating a new interface through the GUI.
- Alternatively, one can modify an existing interface and run set fortilink enable to designate it as a FortiLink interface (this is also useful if the FortiGate-VM needs multiple independent FortiLink interfaces).
- When creating a new FortiLink interface that will replace an existing interface, ensure that any default VLANs present on the older FortiLink are deleted first (may need to dereference those VLANs from elsewhere in the configuration first).
- In lab testing, it has been found that a FortiLink interface that is missing its default VLANs will be able to discover a FortiSwitch (via the FortiLink layer 2 protocol), but will be unable to Authorize the FortiSwitch in the Managed section (the FortiSwitch entry will remain grey, rather than turn red or blue).
Note: It is recommended that a FortiLink interface (Aggregate, Software Switch, etc.) should only contain a single member interface at any given time.
- The reason is that these logical interfaces will inherit and select one MAC address to utilize across all of its member interfaces (for example, a Software Switch with port2 and port3 assigned may use port2’s MAC address for all traffic sent/received on this SW Switch interface).
- This can be an issue if the hypervisor (e.g. Hyper-V, VMWare, KVM, etc.) does not allow for MAC Spoofing, since it can result in the FortiGate attempting to send traffic out one virtual interface using the MAC address of another virtual interface and subsequently being blocked (note that this is not generally a problem when using a physical FortiGate).
Conclusion
Once these four steps are completed, it will be possible to connect a FortiSwitch to the physical network interface on the Hyper-V host that is tied to the same Virtual Switch that the FortiGate-VM is connected to. In a packet capture, it should be possible to observe FortiLink Layer 2 traffic as well as a successful DHCP address assignment, followed by the establishment of a CAPWAP (or HTTPS) connection between the FortiGate and the FortiSwitch.