Description
This article describes how to configure software switches.
A software switch, or soft switch, is a virtual switch that is implemented at the software or firmware level and not at the hardware level.
A software switch can be used to simplify communication between units connected to different FortiGate interfaces.
For example, using a software switch, the FortiGate interface is connected to an internal network on the same subnet as the wireless interfaces.
Units on the internal network can communicate with units on the wireless network without any additional configuration on the FortiGate unit, such as additional security policies.
Scope
FortiGate.
Solution
A software switch can also be useful if it requires more hardware ports for the switch on a FortiGate.
For example, if the FortiGate has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and one more port is needed, create a soft switch that can include the four-port switch and the DMZ interface, all on the same subnet.
These types of applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces such as those in FortiWiFi and FortiAPs.
Similar to a hardware switch, a software switch functions like a single interface.
A soft switch has one IP address and all the interfaces in the software switch are on the same subnet.
Traffic between units connected to each interface is not regulated by security policies, and traffic passing in and out of the switch is controlled by the same policy.
- Ensure to have at least one port or connection such as the console port to connect to the FortiGate. If too many ports are accidentally combined, find a way to undo errors.
- The ports include does not have to have any link or relation to any other aspect of the FortiGate , such as DHCP servers, security policies, and so on.
- For increased security, create a captive portal for the switch to allow only specific user groups access to the resources connected to the switch.
To create a software switch from GUI:
- Go to Network -> Interfaces.
- Select 'Create New' -> Interface.
- Set Type to 'Software Switch'.
- Configure the Interface Name, Virtual Domain, Interface Members, and other fields.
To create a software switch from CLI:
config system switch-interface
edit <switch-name>
set type switch
set member <interface_list>
next
end
config system interface
edit <switch_name>
set ip <ip_address>
set allowaccess https ssh ping
next
end
Sample configuration: software switch
For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1 interface to facilitate wireless syncing from an iPhone and a local computer.
Because synching between two subnets is problematic, putting both interfaces on the same subnet the synching will work.
The software switch will accomplish this.
- Clear the interfaces and back up the configuration.
Ensure the interfaces are not used for other security policy or for other user on the FortiGate.
Check the WiFi and DMZ1 ports to ensure DHCP is not enabled on the interface and that there are no other dependencies on these interfaces.
Save the current configuration so that if something does not work, recovery can be quick. - Merge the interfaces.
Merge the WiFi port and DMZ1 port to create a software switch named synchro with an IP address of 10.10.21.12.
Use the following CLI commands to create the switch, add the IP, and then set the administrative access for HTTPS, SSH and Ping.
config system switch-interface
edit synchro
set type switch
set member dmz1 wifi
next
end
config system interface
edit synchro
set ip 10.10.21.12
set allowaccess https ssh ping
next
end
When the soft switch is set up, add security policies, DHCP servers, and any other configuration that is normally used to configure interfaces on the FortiGate.
