Skip to main content
Rhill
Rhill
Explorer
July 31, 2025
Solved

How to Convert a Software Switch to Hardware Switch on HA Cluster

  • July 31, 2025
  • 1 reply
  • 2764 views

Hello. 

 

We have an Active/passive cluster setup with 200F devices that interface with a redundant LAN network. During the setup there were issues with loops occurring that were blocked by STP in the LAN network. The cluster LAN interfaces on the firewalls function as a transit LAN with VLAN sub-interfaces below it for our network hosts.

The network loops were mitigated by removing redundant links into the firewalls and the LAN network settings on the Ubiquiti switching equipment. We are not currently experiencing loop issues. But we are now trying to figure out how to fix the problematic setup to remove the STP loops and allow a redundant network.

The root cause of the loops looks like software switches on the FortiGate LAN interfaces. Per this link (https://community.fortinet.com/t5/FortiGate/Technical-Tip-Building-redundant-paths-to-switch-network-from/ta-p/279038), they are identified as not participating in STP. And the software switches are also not monitored if a LAN interface fails.

My question, what is the best strategy for removing a software switch with VLAN sub-interfaces and replacing it with a hardware switch on the firewalls? If I do it in the GUI, it looks like a complete breakdown and rebuild of the configuration of the firewall.

We appreciate any input or guidance,

Robert

Best answer by Toshi_Esumi

"VLAN switch" vs. "Hardware switch" has almost nothing to do with "Software switch".  If you're NOT using VLAN Switch specific feature, VLAN switch works in the same way hardware switch works. Disabling VLAN switch mode (to go back to the native hardware-switch mode) wouldn't help anything to get rid of software switch.

The software switch is configured under "config system switch-interface" in the config file. You should see the members under the interface name you configured.
To configure hardware switch (also VLAN switch), you need to configure "config system virtual-switch" instead like below.
 
config system virtual-switch
  edit <interface_name_you_want>
    set physical-swtich "sw0"    <-- this depends on the model but likely sw0 would work
    config port

      edit "portX"     <-- these are the member ports currently in the softswitch
      next

      edit "portY"
      next
       .....
    end
  next
end

Then you can remove the software switch config under "config system switch-interface" (and under "config system interface" if you want to change the name. but in that case you need to configure the new interface).

Toshi

1 reply

AEK
SuperUser
AEK
SuperUser
July 31, 2025

Hi Robert

I'd do as follows:

  1. Backup the config
  2. Edit the config file and change the SW switch to HW switch
  3. Restore the config

Don't forget to keep the original backup, just in case there is an issue and you want to roll-back.

Hope it helps.

Rhill
RhillAuthor
Explorer
July 31, 2025

Hello AEK,

 

Thank you very much for the quick response.  That sounds like an easy change.  We'll give it a go.   

Rhill
RhillAuthor
Explorer
August 2, 2025

Update. I used Notepad++ to edit the file.  I changed the interface from "switch" to "hard-switch"  I then restored the config file.  It worked functionally, but in the management interface, the VLAN switch and all vlan sub-interfaces showed up as down.  I rolled back without issue. 

 

I was recommended to try this solution: ( https://community.fortinet.com/t5/FortiGate/Technical-Tips-FortiGate-Does-not-show-the-Hardware-switch/ta-p/205188 )

 

It was to get the hardware switch to show up, but got this error and aborted:

 

This change will disable trunk on interfaces and remove VLAN from virtual switches.  If you don't want it to be changed, type "abort"

Terms & ConditionsCookie settingsAccessibility statement