Skip to main content
fred339
fred339
Explorer III
October 9, 2022
Question

Removing hardware switch while one Member is the only connected LAN interface

  • October 9, 2022
  • 8 replies
  • 5677 views

It seems like this *must be* a common situation:

We start setting up a Fortigate and assign a LAN address to an internal interface that's a member of the hadrdware switch.  An internal interface such as internal1.

We decide we don't want or need a switch inside the Fortigate and want to remove all the internal interfaces from it.

But, in the process, we lose our LAN connection.

If we are accessing the Fortigate remotely, then we have to do something to restore the LAN connection.

(There is no DHCP).

Is there a good procedure for doing this?  If so, where?  

Or, can someone please provide the steps needed so that the LAN connection remains without interruption?

8 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
October 9, 2022

I don't think there is any way to swap "internal" hard-switch interface to an individual interface like "internal1" without any interruption to LAN connections if it's already in production/service. The internal interface config needs to be moved only internal1, which can be done only after you remove it from internal. So either you have to step by step:

1. remove IP config from internal

2. remove internal1 from "config sys virtual-switch"->"edit internal"

3. configure the same IP on internal1

Or download the config file, make those changes on the file, then restore/upload the config file and wait the FGT to reboot with the new config.

Removing the "internal" hard-switch completely can be done any time afterward.

 

Toshi

    fred339
    fred339Author
    Explorer III
    October 10, 2022

    Thank you!

    This system is being configured - not yet in production.  

    This system is connected to the production LAN and is accessed using an on-site computer which I'm accessing remotely.  Physical access is inconvenient.

    The Console interface is available.  So, at least some interim CLI-based configuration could be done.  My limitation right now is knowing how to do each thing that's needed.

    It can also be configured to be accessed via a WAN connection.  Perhaps that's my best approach so I can use the GUI.  But, if you might list the few commands needed with the CLI, that would be appreciated.

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    October 10, 2022

    Then I would recommend SSH to get in remotely then go through below commands.

    - config sys int ->edit internal -> show, then save it to a txt editor to refer later

    - config sys virtual-switch -> show, to see how the config is structured
       and inside it, config port-> delete internal1 or whatever you want to remove, then end

    - config sys int -> edit internal1 and configure the IP and other necessary part from the internal config you have.

     

    Toshi

     

      fred339
      fred339Author
      Explorer III
      October 10, 2022

      Right.  Thank you!!
      I have it done now.  But for others, this won't remove the switch, only the internal1 interface.  And, the switch will need to have 2 remaining interfaces in order to delete internal1.

      To remove the switch (and the 2+ interfaces from within it) I believe this does it:

      config sys virtual-switch

      edit internal

      end

      delete internal

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      October 10, 2022

      Should be only one needs to be there. Try creating a new one with only one physical interface. You should be able to create it.

       

      Toshi

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      October 10, 2022

      I guess I just repeated what you said. You have to have 2, including the removing one. I meant only 1 needed after you removed the one.
      Or, you could have removed the internal hard-switch first after confirming it was not referred by any other parts of config by like "show | grep -f internal". Then configure internal1 or whatever you want to use.

       

      Toshi

      fred339
      fred339Author
      Explorer III
      October 11, 2022

      Well, somewhere I'd thought I'd both read and experienced the need for 2.  Maybe that's no longer the case.  I was able to test it and confirm what you said here.  
      Thank you!!  That makes things easier.

      fred339
      fred339Author
      Explorer III
      October 17, 2022

      Toshi_Esumi: Thank you!

      esec
      esec
      Visitor III
      October 17, 2022

      From FortiOS 7 you can have switches with no members, and a good alternative could be to use a CLI script to perfom all changes needed. When you upload and run a CLI script all changes will be runned at the same time and you don´t need to do one line at the time :)

      fred339
      fred339Author
      Explorer III
      October 17, 2022

      @esec Yes indeed, scripts run faster than mere humans.  But, I'm not sure they are any better unless needed for repetitive actions.  I don't see that changing switch configurations is usually repetitive. 

      esec
      esec
      Visitor III
      October 18, 2022

      It solves the issue that you lose access to the Fortigate if you want to modify an interface. You could then do a change as you wrote in this post without almost any interruption at all. 

      fred339
      fred339Author
      Explorer III
      October 18, 2022

      @esec Thanks.  Presumably you mean the management interface, right?   If the management interface is working and you can initiate the change process needed, what happens to the management interface when it's done?   Can you give an example?  I'm having a hard time envisioning the scenario.

      Perhaps I'm biased in my view because almost all my work is done remotely and physically moving cables is inconvenient.

      Terms & ConditionsAccessibility statement