Description
Solution
In FortiOS v5.4 the commands to change from switch mode to interface mode are different from in v5.2.
Solution
In 5.2 the port configuration could be changed by using the following commands:
1) Command to change the FortiGate to switch mode:
2) Command to change the FortiGate to interface mode:
After this change the unit had to be rebooted and instead of a combined “internal” switch the unit showed individual ports.
In 5.4 the commands have been changed.
In 5.4 some of the configuration modules were removed and changed. If you upgraded your unit with switch mode interface, the configuration is adapted.
However, with factory resets or brand new units the default setting is that all ports are in the hardware switch.
In order to have separate ports instead of running them in a switch, the configuration changes can be made as follows for new or factory reset units.
Step 1 - Remove all policies referencing “internal” or “lan”.
Step 2 (For WiFi units only) - Remove "internal" from software switch interface "lan".
Step 3 – Remove all (or individual ports) from the virtual switch.
If only remove some ports are to be removed from the switch, instead of “purge” enter:
After removing the ports from the hardware switch the configuration of policies, routes and interface settings for each port can be completed.
1) Command to change the FortiGate to switch mode:
config system global
set internal-switch-mode switch
end
2) Command to change the FortiGate to interface mode:
config system global
set internal-switch-mode interface
end
After this change the unit had to be rebooted and instead of a combined “internal” switch the unit showed individual ports.
In 5.4 the commands have been changed.
In 5.4 some of the configuration modules were removed and changed. If you upgraded your unit with switch mode interface, the configuration is adapted.
However, with factory resets or brand new units the default setting is that all ports are in the hardware switch.
In order to have separate ports instead of running them in a switch, the configuration changes can be made as follows for new or factory reset units.
Step 1 - Remove all policies referencing “internal” or “lan”.
FWF90D3Z13xxxxxx (policy) # show
config firewall policy
edit 1
set uuid 1dac0956-0e3f-51e7-9b91-b653bdf8af55
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
FWF90D3Z13xxxxxx (policy) # purge ----{ Caution! This will remove all policies
This operation will clear all table!
Do you want to continue? (y/n)y
Step 2 (For WiFi units only) - Remove "internal" from software switch interface "lan".
FWF90D3Z13xxxxxx # config system switch-interface
FWF90D3Z13xxxxxx (switch-interface) # edit lan
FWF90D3Z13xxxxxx (lan) # show
config system switch-interface
edit "lan"
set vdom "root"
set member "wifi" "internal"
next
end
FWF90D3Z13xxxxxx (lan) # set member wifi
FWF90D3Z13xxxxxx (lan) # end
FWF90D3Z13xxxxxx (switch-interface) # show
config system switch-interface
edit "lan"
set vdom "root"
set member "wifi"
next
end
Step 3 – Remove all (or individual ports) from the virtual switch.
FWF90D3Z13xxxxxx # config system virtual-switch
FWF90D3Z13xxxxxx (virtual-switch) # show
config system virtual-switch
edit "internal"
set physical-switch "sw0"
config port
edit "internal1"
next
edit "internal2"
next
edit "internal3"
next
edit "internal4"
next
edit "internal5"
next
edit "internal6"
next
edit "internal7"
next
edit "internal8"
next
edit "internal9"
next
edit "internal10"
next
edit "internal11"
next
edit "internal12"
next
edit "internal13"
next
edit "internal14"
next
end
next
end
FWF90D3Z13xxxxxx (virtual-switch) # purge ----{ Caution! This will remove all ports.
This operation will clear all table!
Do you want to continue? (y/n)y
If only remove some ports are to be removed from the switch, instead of “purge” enter:
FWF90D3Z13xxxxxx # config system virtual-switch
FWF90D3Z13xxxxxx (internal) # config port
FWF90D3Z13xxxxxx (port) #
FWF90D3Z13xxxxxx (port) # delete internal1
FWF90D3Z13xxxxxx (port) # end
After removing the ports from the hardware switch the configuration of policies, routes and interface settings for each port can be completed.
Related Articles
Technical Note: Comparison of FortiGate Switch Mode configs between v5.2 and v5.4
Labels: