Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadbasri
Staff
Staff

Created on ‎01-29-2023 07:01 AM Edited on ‎01-21-2024 10:59 AM By Moderator

Article Id 244017

Technical Tip: Changing VLAN interface configuration

Description This article describes how to change VLAN interface configuration.
Scope FortiGate.
Solution

Once a VLAN interface is configured, no configuration changes can be made to the VLAN ID, VLAN protocol, or physical interface. 

 

When making these changes via the CLI, the following error will be shown :

 

aahmadbasri_0-1674808064892.png

 

However, another option to modify the configuration is to change it from the config file and reupload it into the device.

Note that this will cause a reboot of the device. 

 

In this example, the physical interface of a VLAN will be changed to another physical interface. 

 

Initial configuration of the interface :

 

show system interface TestVLAN

config system interface

    edit "TestVLAN"

        set vdom "root"

        set ip 192.168.10.1 255.255.255.0

        set alias "vlan10"

        set device-identification enable

        set role lan

        set snmp-index 19

        set interface "port3"

        set vlanid 10

    next

end

 

References to the VLAN interface:

 

aahmadbasri_2-1674808347862.png

 

To change the physical interface of this VLAN, take the following steps:

  1. Take a backup configuration of the device.
  2. In the config file, change the respective physical configuration of the VLAN as below:

 

edit "TestVLAN"

        set vdom "root"

        set ip 192.168.10.1 255.255.255.0

        set alias "vlan10"

        set device-identification enable

        set role lan

        set snmp-index 19

        set interface "port3" <- Change to a new interface. For example, set interface 'port4'.

        set vlanid 10

    next

 

  1. Save the file to a new file name.
  2. Restore the configuration with the new config file from step 3. Note that the device will reboot.
  3. Once the device is up, verify if there is any missing configuration from the uploaded file:

 

diagnose debug config-error-log read

 

Verify that the VLAN is now in the new physical interface:

 

show system interface TestVLAN

config system interface

    edit "TestVLAN"

        set vdom "root"

        set ip 192.168.10.1 255.255.255.0

        set alias "vlan10"

        set device-identification enable

        set role lan

        set snmp-index 19

        set interface "port4"

        set vlanid 10

    next

end

 

Verify that the previous reference is still in place: 

  

aahmadbasri_3-1674808605393.png

 

Other changes in VLAN configuration can also be made using this method. 

 

Note:

If a new interface (for example an Aggregate interface) was created to which the VLANs will be mapped, ensure that in the configuration file is restored. This new interface is placed before any of the VLAN interface configurations. Otherwise, when the configuration will be restored, the Firewall will fail to set the interface for the VLANs and they will not be created.

Also, all referenced configurations will not be created either, for example, firewall policies referencing the VLANs, etc. 

Related article:

Technical Tip: Transfer/Migrate VLAN to another interface (existing or new).
12863
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.