Creating A VLAN Trunk Interface Using CLI On FortiGate

Summary

I noticed in this post I didn’t provide the step that comes BEFORE configuring the DHCP server for the VLAN. Time to fix that. This post assumes that all of the needed wiring and configuration is done on the switch. If anyone needs help with this kind of stuff. You’re welcome to contact me.

Post can be found below:

• FortiGate: Adding A DHCP Server To A VLAN Interface With The DMZ Role

On FortiGate firewalls with 802.1Q VLAN interfaces. The DMZ role can be assigned to the interface. What this does is help condense an interface for use with multiple subnets. Allowing for more available ports.

In this particular scenario there is a VLAN interface configured on port9 on a FortiGate VM named tl-app-01.

This senario utilizes the following subnet. This will allow for only two usable hosts within the subnet and I only have one server that needs this.

Setup

• Network: 172.16.172.0/30
• Subnet: 255.255.255.252

To set the configuration. You connect to the firewalls terminal and configure it like so. A little explaination as to what this does.

1. Creates a new system interface named tl-app-01 on VDOM root.
2. Sets the IP address to 172.16.172.2
3. Allows us to ping the interface.
4. Enabled device identification.
5. Sets the role of the VLAN to DMZ.
6. Sets the physical interface to port9 on the firewall.
7. Sets the VLAN ID of the VLAN to 3000

The configuration for this can be found below. Easy peasy.

config system interface
    edit "tl-app-01"
        set vdom "root"
        set ip 172.16.172.2 255.255.255.252
        set allowaccess ping
        set device-identification enable
        set role dmz
        set interface "port9"
        set vlanid 3000
    next
end

Of course if you utilize strict firewall rules. Rules and objects will need to be configured so IPs within the subnet can reach things like the Internet and other things that an “app” server my need to access.