FortiGate VLANs: tagged and untagged VLANs on the same physical interface

I have come across this question quite a bit lately, and thought it may be helpful to post a quick how to. In this post we'll take a look at a port configuration on a Cisco switch, and configure the FortiGate accordingly. You can choose to configure this on any model switch, I am only using Cisco as reference due to it being the most commonly understood from a configuration standpoint.

With the boring stuff out of the way, let's get into the fun stuff.

Based on the configuration snippet below, we want to support both tagged and an untagged vlan from the FortiGate:

!
 interface GigabitEthernet0/1
  switchport mode trunk
  switchport trunk native vlan 3
  switchport trunk allowed vlan 3-4
 !

Here's how we configure that on a FortiGate:

VLAN3:

Here's what this looks like in CLI:

config system interface
  edit "internal6"
  set vdom "root"
  set ip 10.0.3.2 255.255.255.0
  set allowaccess ping https ssh http fabric
  set type physical
  set alias "VLAN3 - untagged"
  set device-identification enable
  set lldp-transmission enable
  set role lan
  set snmp-index 12
  next
 end

It's pretty much configured like a standard interface - because it is.

VLAN 4:

In Network > Interaces Click on "Create New > Interface"

Note the differences, this is a "VLAN" interface, and it's "tied" to "internal6". Here's how it looks in CLI:

config system interface
  edit "vl_4_lan"
  set vdom "root"
  set ip 10.0.4.2 255.255.255.0
  set allowaccess ping https ssh http fabric
  set alias "VLAN 4"
  set device-identification enable
  set role lan
  set snmp-index 14
  set interface "internal6"
  set vlanid 4
  next
 end

You can continue to add VLANs using the same method as needed.

Simply put the FortiGate doesn't really care what VLAN your "native/untagged" VLAN is, it will just assume that any packets that don't have a 802.1Q(VLAN) tag associated with them that it will be on that subnet.

That's all there is to it, thank you for reading, I hope this helps.