Back to Blog
How to Configure FortiGate VLAN: Step-by-Step
technicalFebruary 15, 2025· 7 min read

How to Configure FortiGate VLAN: Step-by-Step

Step-by-step FortiGate VLAN configuration: interface setup, inter-VLAN routing, and firewall policies.

T

TechGuru Team

A restaurant chain with 12 branches called us because their POS systems, office computers, and guest WiFi were all on the same network. One compromised IoT thermostat nearly gave attackers access to payment data. We segmented everything into VLANs on their FortiGate in under 4 hours. Here's exactly how we did it.

VLAN configuration on FortiGate is straightforward once you understand the model. This guide walks you through every step, with real configuration examples you can adapt to your network.

What is VLAN Configuration on FortiGate?

VLAN (Virtual Local Area Network) lets you split a single physical network into multiple logical segments. On FortiGate, VLANs are created as sub-interfaces on a physical port. Each VLAN gets its own subnet, security policies, and traffic rules.

Why does this matter? Without VLANs, a compromised device on your guest WiFi can potentially access your servers. With VLANs, each segment is isolated. The guest network literally cannot reach the server network unless you explicitly allow it.

Why VLAN Segmentation Matters

We've seen three types of incidents that VLANs prevent:

Lateral movement: Attackers who breach one device try to spread to others. VLANs limit the blast radius. If the guest WiFi is compromised, they can only see other guest devices.

Compliance: PCI DSS requires cardholder data to be on its own network segment. HIPAA requires patient data isolation. VLANs are the simplest way to meet these requirements.

Performance: Broadcast storms on one VLAN don't affect other segments. We've seen a misbehaving printer bring down an entire flat network. VLANs prevent that.

How to Configure FortiGate VLAN: Step-by-Step

Step 1: Plan Your VLAN Structure

Before touching the firewall, map out your VLANs. Here's a structure we use for most SMBs:

VLAN 10 - Management: For firewall and switch management. 10.0.10.0/24. VLAN 20 - Servers: For internal servers. 10.0.20.0/24. VLAN 30 - Workstations: For office computers. 10.0.30.0/24. VLAN 40 - VoIP: For IP phones. 10.0.40.0/24. VLAN 50 - Guest WiFi: For visitor access. 10.0.50.0/24. VLAN 60 - IoT: For smart devices. 10.0.60.0/24.

Step 2: Create VLAN Interfaces on FortiGate

Log into your FortiGate web interface. Go to Network > Interfaces. Click 'Create New' > 'Interface'. Set the following for each VLAN:

Name: Give it a descriptive name like 'VLAN20-Servers'. Type: Select 'VLAN'. Interface: Choose the physical port (e.g., port1). VLAN ID: Enter the VLAN number (e.g., 20). IP/Netmask: Enter the subnet gateway (e.g., 10.0.20.1/24).

Repeat this for each VLAN. Make sure the VLAN IDs match what your switches are configured for.

Step 3: Configure Switch Ports

If you're using FortiGate's built-in switch, go to Network > Interfaces and set the relevant ports to 'LAN' role. Assign them to the appropriate VLAN.

If you're using external switches, configure the trunk port between the switch and FortiGate to carry all VLANs. Then set access ports on the switch to assign devices to the correct VLAN.

Step 4: Create Firewall Policies

This is where the real security happens. Go to Policy & Objects > Firewall Policy. Create policies for each VLAN pair:

Policy 1: Workstations to Internet - Allow VLAN 30 to access the internet via NAT. Policy 2: Servers to Internet - Allow VLAN 20 limited internet access (updates only). Policy 3: Guest to Internet - Allow VLAN 50 internet access only, block all internal subnets. Policy 4: Workstations to Servers - Allow VLAN 30 to reach VLAN 20 on specific ports (443, 8443).

Default deny: Make sure there's an implicit or explicit deny-all at the bottom of your policy list.

Step 5: Enable Inter-VLAN Routing

By default, FortiGate routes traffic between VLANs. You control this with firewall policies. If you want VLANs to be completely isolated, remove the inter-VLAN policies and rely on explicit allow rules.

Pro tip: Don't allow Workstations to ping or access the Management VLAN (10). Management access should only come from the management network or VPN.

Best Practices

1. Use consistent VLAN numbering across all sites if you have multiple branches. It makes troubleshooting much easier.

2. Enable logging on all VLAN policies. When something goes wrong, logs tell you which VLAN the traffic came from and which policy blocked it.

3. Use VLAN names that describe the purpose, not just the number. 'VLAN20-Servers' is better than 'VLAN20'.

4. Create a VLAN for IoT devices. They're notoriously insecure and should never be on the same network as your workstations.

5. Test inter-VLAN routing after each policy change. We've seen configs that accidentally blocked server access because of a misplaced rule.

Common Mistakes

Mistake 1: Forgetting to tag VLAN traffic on trunk ports. If your switch isn't tagging frames correctly, VLANs won't work even if FortiGate is configured properly.

Mistake 2: Using VLAN 1 for production traffic. VLAN 1 is often the default and can be a security risk. Create a dedicated management VLAN instead.

Mistake 3: Not testing guest isolation. Your guest WiFi VLAN should not be able to reach ANY internal network. Test this explicitly.

Conclusion

VLAN configuration on FortiGate is one of the highest-impact security improvements you can make. It takes a few hours to set up but prevents entire categories of attacks. Start with the basic four VLANs (management, servers, workstations, guest) and expand from there.

Next step: Audit your current network. If everything is on one flat network, VLAN segmentation should be your top priority.

Want to go deeper? Explore [Protect security services](/en/products/protect), [industry solutions](/en/solutions), or [get a security assessment](/en/contact).

FAQ

Q: How many VLANs can FortiGate support? A: Most FortiGate models support up to 256 VLANs. For typical SMB deployments, you'll use 5-10.

Q: Do I need managed switches for VLANs? A: Yes. VLANs require 802.1Q capable switches. Unmanaged switches don't support VLAN tagging.

Q: Can VLANs improve network performance? A: Yes. By isolating broadcast domains, each VLAN has less broadcast traffic, improving overall performance.

Q: What's the difference between VLANs and zones on FortiGate? A: VLANs are Layer 2 network segments. Zones are FortiGate's way of grouping interfaces for policy management. You can create a zone that contains multiple VLAN interfaces.

Threat Landscape and Current Attack Vectors

Understanding the current threat landscape is essential for making informed security decisions. In 2025, the most common attack vectors include ransomware (up 150% from 2024), supply chain attacks (targeting software vendors and managed service providers), credential stuffing (exploiting password reuse across services), and zero-day exploits (targeting unpatched vulnerabilities).

According to the 2025 Verizon Data Breach Investigations Report, 68% of breaches involve a human element (phishing, stolen credentials, or errors). This means technology alone is not enough - you need people, processes, AND technology working together.

Implementation Roadmap

We recommend a phased approach to implementation. Phase 1 (Weeks 1-4): Assessment and design. Document current state, identify gaps, design target architecture. Phase 2 (Weeks 5-8): Deploy core components. Install and configure the primary solution in a test environment. Phase 3 (Weeks 9-12): Pilot testing. Deploy to 20-30% of users, collect feedback, refine configuration.

Phase 4 (Weeks 13-16): Full deployment. Roll out to remaining users with minimal disruption. Phase 5 (Weeks 17-20): Optimization. Fine-tune policies, optimize performance, and document procedures. This timeline works for most medium enterprises (200-500 users).

Compliance and Regulatory Considerations

If your organization is subject to regulatory requirements (PCI DSS, HIPAA, ISO 27001, GDPR), ensure your implementation addresses these requirements from the start. Retrofitting compliance is significantly more expensive than building it in. We recommend creating a compliance matrix that maps each regulatory requirement to specific technical controls.

Common compliance gaps we see: insufficient audit logging (PCI DSS requires 12 months of logs), missing encryption at rest (required by HIPAA and GDPR), inadequate access controls (required by ISO 27001), and missing incident response procedures (required by all frameworks).

Need help with this topic?

Our experts can help you implement the right solution for your organization.

Contact Us

Was this article helpful?

Join the discussion

No comments yet. Be the first to share your thoughts.