Technical Note: How to delete the default virtual Hardware Switch 'lan'

cmartinez1 · ‎12-02-2015

Description

This article provides information on how to delete the default virtual hardware switch "lan".

Most FortiGate models which support hardware switch will come with a predefined interface named "lan" which bundles multiple interfaces into a switch for multiple interfaces within the same network segment which may communicate between each other without further configuration.

Individual interfaces can be manually removed from the "lan" interface however in order to free up all ports linked to it it must be removed.

The hardware switch interface can be seen in the image below named "lan".

Go to: System > Network > Interfaces

To view the interface via the CLI:

# show system interface lan

Use the steps provided below to completely remove the switch interface.

Solution

1. The firewall policy which is linked to the "lan" interface must first be deleted. This is done since FortiOS cannot delete entries which have existing dependencies.

Go to: Policy & Objects > Policy > IPv4

To delete via CLI:

# config firewall policy
# show                      <-- To view existing firewall policies to gather the correct policy ID

config firewall policy
    edit 1                   <-- The policy ID
        set uuid fb3f751e-72c3-51e5-9159-daebef2d0346
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
# delete <ID>            <-- With the default settings the ID should be "1" however it should be verified on your system
# end

The GUI should look similar if the default config was loaded on the system.

The following output will be seen via the CLI if the policy no longer exists.

# show firewall policy <ID> <-- With the default settings the ID should be "1" however it should be verified on your system
entry is not found in table
Command fail. Return code 1

2. The DHCP server must also be deleted for the same reasons as it is also linked to the interface (This must be done via the CLI).

# show system dhcp server   <-- To display existing DHCP servers

config system dhcp server
    edit 1                   <-- The DHCP ID
        set dns-service default
        set default-gateway 192.168.100.99
        set netmask 255.255.255.0
        set interface "lan"
            config ip-range
                edit 1
                    set start-ip 192.168.100.110
                    set end-ip 192.168.100.210
                next
      end

To delete the entry use the following syntax in the CLI:

# config system dhcp server
# delete <ID> <-- With the default settings the ID should be "1" however it should be verified on your system
# end

The following output will be seen via the CLI if the DHCP server no longer exists.

# show system dhcp server <ID> <-- With the default settings the ID should be "1" however it should be verified on your system
entry is not found in table
Command fail. Return code 1

3. The "lan" interface can now be deleted.

Go to: System > Network > Interfaces

Select the interface "lan", and click on the delete icon to remove it.

To delete "lan" switch via the CLI:

# config system virtual-switch
# delete "lan"
# end

To view if the entry is removed:

# show system interface lan