Skip to main content
cmartinez1
Staff
cmartinez1
Staff
December 3, 2015

Technical Tip: How to delete the default virtual hardware switch

  • December 3, 2015
  • 0 replies
  • 111065 views

Description

 
This article describes information on how to delete the default virtual hardware switch.

Scope
 
FortiGate.
 
Solution
 
Most FortiGate models that support a hardware switch will come with a predefined interface named, for example, 'lan' or 'internal', which bundles multiple interfaces into a switch within the same network segment, which may communicate with each other without further configuration.

Individual interfaces can be manually removed from the hardware switch interface.
However, in order to free up all ports linked to the hardware switch, it must be removed completely.

The hardware switch interface can be seen in the image below, named 'lan'.

Go to System -> Network -> Interfaces or Network -> Interfaces depending on the firmware version.
cmartinez_FD37677_tn_FD37677-1.jpg

To view the hardware switch interface 'lan' via the CLI:
 
show system interface lan
 
To list all hardware switch interfaces on a FortiGate run:
 
show system interface | grep -f 'set type hard-switch'
 
In this example, the name of the hardware switch interface is 'internal' on a 60E.
 
get sys stat | grep Version
Version: FortiGate-60E v7.4.11,build2878,260124 (GA.M)
 
show system interface | grep -f 'set type hard-switch'

config system interface
    edit "internal"
        set vdom "root"
        set ip 192.168.1.99 255.255.255.0
        set allowaccess ping https ssh fabric
        set type hard-switch<---
        set stp enable
        set role lan
        set snmp-index 15
    next
end

 

 

Use the steps provided below to completely remove the hardware switch interface.

The first step is to remove all references from the hardware switch.

This is done because FortiOS cannot delete entries that have existing dependencies.

 

The number of current references can be seen in the web interface under Network -> Interfaces -> 'Ref'.

By selecting the number in the 'Ref' column, the types of references are listed, for example, 'Address', 'Firewall Policy', 'System DHCP Server'.

Here, the references can also be deleted directly in the web interface on current firmware releases.

 

To list the references from the CLI, the following command can be used (where <INTERFACE> is the name of the hardware switch, for example, 'lan' or 'internal').

 

diagnose sys cmdb refcnt show system.interface.name <INTERFACE>

 

For example:

 

diagnose sys cmdb refcnt show system.interface.name lan

 

Or:

 

diagnose sys cmdb refcnt show system.interface.name internal

 

On older firmware releases, the references could be listed with the command:

 

diagnose sys checkused system.interface.name <INTERFACE>

 

In this example, the hardware switch that will be removed is named 'lan'.

 

  1. The firewall policy, which is linked to the 'lan' interface, must first be deleted. 

Go to Policy & Objects -> Policy -> IPv4.
cmartinez_FD37677_tn_FD37677-2.jpg

To delete via CLI:

config firewall policy
show            <--- To view existing firewall policies to gather the correct policy ID.
    config firewall policy
        edit 1                    <--- The policy ID.
            set uuid fb3f751e-72c3-51e5-9159-daebef2d0346
            set srcintf "lan"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
       next
    end
delete <ID>            <--- With the default settings, the ID should be '1'; however, it should be verified on the system.
end
 
The GUI should look similar if the default config was loaded on the system.
cmartinez_FD37677_tn_FD37677-3.jpg

The following output will be seen via the CLI if the policy no longer exists.

show firewall policy <ID>    <----- With the default settings, the ID should be '1'. However, this should be verified on the system.
entry is not found in table
Command fail. Return code 1
  1. The DHCP server must also be deleted for the same reasons, as it is also linked to the interface (this must be done via the CLI).
 
show system dhcp server    <--- To display existing DHCP servers.

config system dhcp server
    edit 1                    <--- The DHCP ID.
        set dns-service default
        set default-gateway 192.168.100.99
        set netmask 255.255.255.0
        set interface "lan"
            config ip-range
                edit 1
                    set start-ip 192.168.100.110
                    set end-ip 192.168.100.210
                next    
            end 

To delete the entry, use the following syntax in the CLI:
 
config system dhcp server
    delete <ID>             <--- With the default settings, the ID should be '1'. However, this should be verified on the system.
end
 
The following output will be seen via the CLI if the DHCP server no longer exists.
 
show system dhcp server <ID>      <--- With the default settings, the ID should be '1'. However, this should be verified on the system.
end
entry is not found in table
Command fail. Return code 1
  1. The 'lan' interface can now be deleted.
Go to System -> Network -> Interfaces.
 
Select the interface 'lan' and edit it. Starting with FortiOS v6.2, a new option, 'Create address object matching subnet' is available. If it is enabled, disable it and select Save.

Select the interface 'lan', and select the delete icon to remove it.
cmartinez_FD37677_tn_FD37677-4.jpg

To delete the 'lan' switch via the CLI:

config system virtual-switch
    delete "lan"
end

To verify the entry has been removed:

show system interface lan

 

Related documents:

Automatic Address Creation for Attached Networks

Terms & ConditionsAccessibility statement