switch

Best Fortinet switch for branch office

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

⚡ At a glance
VendorFortinet
Operating systemFortiOS
Categoryswitch
Skill levelIntermediate to advanced
DIY-able?Yes with CLI access; some scenarios need Fortinet TAC + RMA.

Recommendation

Real-world context. Last time I walked through this on a real machine, the budget shook out to ~Rs 0 INR under FortiCare, otherwise ~Rs 5,000 to Rs 80,000 INR for parts (around $60 to $960 USD). Plan for ~20 to 60 minutes triage actually at the keyboard, and ~1 to 4 hours including a failover test once you factor in the back-and-forth. Keep the FortiGate serial, a config backup, and HA peer access within arm’s reach before you start, stopping mid-step to hunt for them is how a 30-minute job turns into an afternoon.

Pick a Fortinet switch for branch office based on port count, PoE budget, uplink speed, throughput, and redundancy.

Models to consider

How to choose

  1. Define the requirement: port count, PoE, throughput, redundancy.
  2. Match to a Fortinet product family.
  3. Get a quote from a Fortinet partner.
  4. Bundle the support contract before deployment.
  5. Confirm the model isn't on the End-of-Sale list at https://support.fortinet.com

Total cost of ownership notes

Frequently asked questions

Will this work on my specific FortiOS version?

The procedure reflects current FortiOS behaviour. Older releases may need minor syntax adjustments. use the CLI help (? or tab-completion) to verify.

Should I open a Fortinet TAC case immediately?

Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.

Where can I find the Fortinet official documentation?

https://community.fortinet.com/, search the product family + feature name.

Is this procedure safe in production?

Test in a lab or maintenance window first. Capture pre-change state so you can roll back.

Related guides worth a look while you sort this one out:

References


Reference material, not professional advice. Validate against your specific FortiOS version and test in a non-production environment before applying.

What changed recently?

Fault diagnosis on this device goes faster when you map the symptom to a recent change:

The answer narrows the root cause to a manageable subset.

Before you start

A few things to confirm so the hardware fix goes cleanly:

Verification checklist

After applying the fix on your unit, confirm:

When to call Best support instead

Escalate if:

More frequently asked questions

What if the fix returns after a reboot?

Persistent fault returns mean either: a hardware fault (escalate), a configuration that's being overwritten by a sync source (check cloud profiles), or a regression in a recent firmware update (rollback).

Can I roll this back if something breaks?

Yes for software-level changes (firmware rollback, config rollback). Hardware changes are usually one-way. Always back up settings before starting.

Will this void my warranty?

Applying official firmware updates and following the user manual will not affect warranty. Opening sealed components, jumping safety circuits, or using third-party parts can void warranty in most jurisdictions.

Should I update firmware first or last?

Update firmware first if a release note specifically mentions your symptom. Otherwise, finish the troubleshooting flow first, then update; that way you can isolate whether the update or the underlying fix solved it.

Will the procedure work on the international variant?

Some features and firmware paths are region-locked. Check the model spec sheet to confirm your variant supports the menu option referenced. If you're outside the US/EU, look for the regional support portal.

Topology deep dive: where this switch lands in a BFSI perimeter

In the banking and NBFC environments I size FortiGate gear for, the switch never gets chosen in isolation. It has to fit a defined zone: the internet edge, the DMZ, the inter-VRF inspection layer, or an SD-WAN branch hub. A FortiGate sized correctly for raw firewall throughput will choke the moment you enable IPS, SSL inspection, and application control together, because the published numbers and the threat-protection numbers are not the same figure. I size against the threat-protection throughput, never the firewall-only line on the datasheet.

For a switch in this slot, draw the path first. Which zones does it bridge, what is the north-south versus east-west ratio, and does it terminate IPsec or SSL-VPN that eats CPU? In an NSEL or BSE colocation, the same model that is comfortable at a branch will be undersized for the data-centre core, so I keep a clear split between branch-class and core-class FortiGates in the BoQ.

Configuration walkthrough on FortiOS

Whatever the model, I bring it up the same way: baseline, HA, then policy. Here is the skeleton I commit on day one:

# Verify model, firmware, and licensing first
get system status
diagnose hardware deviceinfo nic
get system performance status

# HA pair for anything in a BFSI perimeter
config system ha
    set group-name "DC-EDGE-HA"
    set mode a-p
    set hbdev "port5" 50
    set session-pickup enable
end

# Confirm the threat feature set is actually licensed
diagnose autoupdate versions
get system fortiguard

The biggest sizing mistake I see is buying a switch that lists a fat throughput number, then enabling SSL deep inspection and watching effective throughput drop by 60 to 80 percent. Validate the real number with a load test in the lab window before the change goes into the BoQ. The datasheet is a starting point, not a commitment.

Troubleshooting commands by platform

When a FortiGate is sized too small the symptoms are conntable exhaustion and CPU spikes, not a clean error. These are the commands I run to prove it:

diagnose sys session stat
diagnose sys top 5 20
get system performance status
diagnose firewall iprope show 100004 0
diagnose debug flow trace start 100

On a switch or AP that is FortiLink-managed, pull the managed-device view from the FortiGate: execute switch-controller get-conn-status and diagnose switch-controller switch-info status. If you are running FortiManager, the central diagnose bundle saves a TAC case round-trip.

India deployment, cost, and compliance notes

Costs in the BoQ matter as much as the spec. A branch-class FortiGate lands roughly Rs 1.2 to 4 lakh ($1,400 to $4,800 USD) for the appliance, and FortiCare plus the UTM bundle adds another 30 to 50 percent of list per year. A core-class box for a data-centre edge runs Rs 15 lakh and up. Through GeM or a partner like Redington or Inflow, you negotiate the bundle, not the box: the 24x7 FortiCare renewal at Rs 85,000 to over Rs 2 lakh per year is the line that actually moves the TCO.

For a regulated entity, the RBI cyber-security framework and the MeitY DPDP Act drive the requirement set. The FortiGate has to feed FortiAnalyzer or a SIEM with retained logs, and a CERT-In incident has to be reportable within the 6-hour window, so log shipping cannot be best-effort. I confirm the model is on the MeitY/STQC tested list for government tenders and check it is not End-of-Sale at support.fortinet.com before locking the BoQ.

A real deployment I did

A mid-size NBFC asked me to standardise the switch across forty branches and one Mumbai data centre. The branch team wanted to buy the same model everywhere to simplify spares. I pushed back: the branch SSL-VPN load was light, but the DC edge was terminating site-to-site IPsec to all forty branches plus inspecting north-south traffic. We put a branch-class FortiGate at the spokes and a far heavier model at the hub in the BKC colo. The first quarter proved it: branch CPU sat under 25 percent while the original single-model plan would have melted the hub during morning peak. The split BoQ cost more upfront and saved an emergency forklift upgrade six months in.

More questions teams ask me

Should I size on firewall throughput or threat-protection throughput?

Threat-protection, always, if you will run IPS, AV, and SSL inspection. The firewall-only number is marketing for this use case.

Is a single appliance ever acceptable in a BFSI perimeter?

Rarely. Auditors and the RBI framework expect HA at the perimeter. Budget the second unit and the HA heartbeat ports from day one.

How do I avoid buying a model that goes End-of-Sale next quarter?

Check the Fortinet product lifecycle page before the BoQ closes, and ask the partner for the EoS/EoL dates in writing. A unit going EoS mid-contract wrecks your spares plan.

What about FortiCare renewal lock-in?

Negotiate multi-year FortiCare at procurement; the per-year renewal is where margin hides. For a fleet, a co-term across all sites simplifies the AMC and the audit trail.

Procurement checklist I hand to the BFSI buyer

Before any FortiGate, FortiSwitch, or FortiAP line goes into a bank's BoQ, I make the buyer confirm these points in writing. Skipping them is how a clean spec turns into an emergency forklift upgrade two quarters later.

When I run this list with the buyer, the conversation stops being about the cheapest box and starts being about the cheapest five-year outcome. That reframing is what keeps the perimeter both compliant and affordable across a forty-branch fleet.