Technical Tip: Unable to add an in use hardware switch into a zone
| Description | This article describes about the issue where user is unable to add a hardware switch which is in use into a zone. |
| Scope | FortiGate, all firmware. |
| Solution | Adding hardware switch interface, or any interface as follows in a newly created zone is not possible, because hardware switch could be in use(referenced) at places like policies, routing, address objects, etc.
However, assigning a hardware switch interface to a zone can be done only after removing all the references.
Notice the hardware switch interface has references which means it is being used in policies, routing, etc.
Since the hardware switch is in use, adding it into a zone is not possible. As the hardware switch itself doesn't show up in the drop down as shown below.
So, remove the references that is either delete the policies, routing, etc. that uses the hardware switch interface or remove the hardware switch interfaces from those policies, routing, etc.
Now when tried to add hardware switch 'lan' interface into the zone, 'lan' shows up in the drop down.
Basically 'configure firewall policy' - > 'show' - > paste into NP++ - > replace src/dst interface where 'hardware switch' with the new zone - > purge under 'firewall policy' - > assign hardware switch to a zone - > copy & paste firewall policies back.
Note: To get the option of hardware switch interface, disable virtual-switch-vlan from global settings.
It not only applies for hardware switch interface but for any interface one trying to add into the zone it must not be referenced anywhere else like policies, routing, etc. For example ha1, ha2, wan1, wan2 interface in this case.
Related KB article for reference: |
