Physical Lan Interface configuration

Hi,

Thans for your replay. its really heaplfull...

To change switch mode to Interface Mode i need to remove everything associated with that Port.  ??

My problem is, we have  VPN Tunnels working in this system also some policies. so i need to remove all these..

is there any other option, means without removing these policies, can i switch  to Interface mode...

is any options, it really helpful..

any way am really thanks four replay and hope some solution for this..

                                                                                                                         Sunusurendran,

sunu,

the good news is that you only have to remove policies etc. using the 'internal' interface, not all policies. I assume that your VPNs are associated with the WAN port and not the 'internal' ports. But policies might be.

And yes, I would rather go with the solution Dave posted: download the config file, edit it in an editor, restore it via WebGUI.

BE AWARE that restoring will cause an immediate reboot of the FGT!!

This is the reason why you change the switch mode right at the beginning of any configuration if you foresee that you will need more physical ports.

What do you intend to do with a policy from WAN to LAN?

You cannot access a private address like 192.168.x.y over the internet, they are not routed. That's why they are called 'private' addresses.

So depending on your intentions you need to change the config.

OK, if I get you right you want to access a server on the remote subnet behind a VPN tunnel.

For this, you need to allow that traffic.

Traffic to the server is not coming from the WAN interface - it's coming from the tunnel! A VPN tunnel is represented by the tunnel interface. The interface is named like the phase1.

So in your case you need (at least) these policies:

on your FGT (local side):

source IF: internal

source addr: <local subnet>

dest IF: <tunnel IF>

dest addr: <remote subnet behind tunnel>

no NAT

on remote FGT:

source IF: <tunnel IF>

source addr: <remote subnet behind tunnel>

dest IF: internal

dest addr: <local subnet>

where 'IF' stands for 'interface'.

sunu,

please delete these policies.

One of them is has action 'IPSEC' which it totally wrong.

Let's clarify:

- you need the tunnel definition (phase 1) in 'Interface mode'. Please check that this is enabled.

This 'Interface mode' has nothing to do with your physical ports' switch/interface mode !!!

- the policies need to be from 'internal' to 'tunnelname' and vice versa. The 'wan' interface is NEVER used in this. Please re-read my previous post.

- you need one static route on each Fortigate, pointing the remote private LAN to the tunnel.

If this seems all Greek to you then I suggest you read the basics on VPN in the FortiOS Handbook. Otherwise, I fear we don't talk the same language.

Don't worry, I'm glad it's working for you now. Enjoy!

Hi all,

Is there anybody who tried the procedure like Dave Hall suggested?

"....Load an uncrypted backup config into a text editor, replace all references of " internal" to " internal1" , then look for the line " set internal-switch-mode switch" and change that to " set internal-switch-mode interface" ; save changes then load that back into the fgt."

My Fortinet 100D, running v5.2.3,build670, has the same issue, only one physical interface active the rest up to port 16 looks like disabled.

And by the way in my config there is no line containing "set internal-switch-mode" command.

Thanks,

Paul

Paul,

yes I do! Done that a couple dozen times by now.

As all references to the 'internal' interface have to be removed before doing the split up it's best to do that right after a factory reset. Let me suggest this sequence:

1. backup your config, not encrypted

2. in the CLI, type 'exec factoryreset' and confirm with 'y'. FGT reboots.

3. Log back in with default credentials ('admin'/'') using the console port/serial connection. You have to delete the DHCP serve, a policy and a route all relating to the 'internal' interface, by

'conf sys dhcp server', 'purge', 'end'

'conf firewall policy', 'purge', 'end'

'conf router static', 'purge', 'end'

Of course, this leaves your FGT rather crippled.

Then, do the switch

'config sys global', 'set internal-switch-mode interface', 'end'.

FGT reboots.

4. log back in, note how the LAN interfaces are named now. 'internal1', 'internal2',...

5. Edit a copy of your config file: search and replace all occurrences of 'lan' to 'internal1' (or whatever is appropriate for your model). In my experience this cannot be done without inspecting each occurrence found.

6. Restore that edited config to your FGT (via GUI or uploading via serial).

FGT will reboot.

7. Log back in, using your credentials.

8. Connect to GUI and check everything.

Not too much hassle. You'll be thankful in the long run, there's always one more server to connect physically...

Edit:

In the config file, only settings which differ from the 'factoryreset' default settings are listed. That's why usually you won't see the 'config sys global/set internal-switch-mode' line. You will - after the switch.