Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gpap_FTNT
Staff & Editor
Staff & Editor

Created on ‎01-29-2020 11:23 PM Edited on ‎05-30-2025 06:15 AM By Community Manager

Article Id 189485

Technical Tip: Errors encountered in changing from NAT to transparent mode

Description

 

This article describes how to switch from NAT to transparent mode without any errors.

 

Scope

 

FortiGate.

 

Solution

 

Error 1: When switching from NAT mode to Transparent mode, and 'FortiLink' has already been configured, the following error appears:

 

FGT # config sys settings

FGT (settings) # set opmode transparent
Cannot change to Transparent mode because this vdom contains managed switches and switchctl-vlans.
Please clear managed-switches, disable fortilink and retry.
node_check_object fail! for opmode transparent

value parse error before 'transparent'
Command fail. Return code -7610

 

To change the operation mode of the unit, use the following command:


FGT (fortilink) # show
    config system interface
        edit "fortilink"
            set vdom "root"
            set allowaccess ping fabric
            set status down
            set type aggregate
            set lldp-reception enable
            set lldp-transmission enable
            set snmp-index 14
       next
end


Even after disabling the FortiLink interface, the same error message should still appear. If FortiLink has any referenced configurations, remove them using the following CLI commands:

 

show | grep -i fortilink -f

config system interface

    edit "fortilink" <---

        set vdom "root"

        set fortilink enable <---

        set ip 10.10.225.1 255.255.255.0

        set allowaccess ping fabric https

        set type aggregate

        set lldp-reception enable

        set lldp-transmission enable

        set snmp-index 8

    next

end

config system ntp

    set ntpsync enable

    set server-mode enable

    set interface "fortilink" <---

end

config system dhcp server

    edit 1

        set ntp-service local

        set default-gateway 10.10.225.1

        set netmask 255.255.255.0

        set interface "fortilink" <---

        set vci-match enable

        set vci-string "FortiSwitch" "FortiExtender"

    next

end

config switch-controller storm-control-policy

    edit "auto-config"

        set description "storm control policy for fortilink-isl-icl port" <---

        set storm-control-mode disabled

    next

end

 

References can also be checked using the following cmdb command:

 

diagnose sys cmdb refcnt show system.interface.name fortilink

entry used by table system.dhcp.server:id '1'

entry used by child table interface:interface-name 'fortilink' of complex system.ntp:interface.interface-name

 

Disabling the NTP server which lists FortiLink interface (or switch interface to any other interface available):

 

config sys ntp

 

FortiGate(ntp) # show

config system ntp

    set ntpsync enable

    set server-mode enable

    set interface "fortilink"

end

 

(ntp) # set server-mode disable

(ntp) # end

 

Delete the DHCP server entry using the following commands:

 

config sys dhcp server

(server) # delete 1

(server) # end

 

Disable FortiLink interface:

 

config sys interface

(interface) # edit fortilink

(fortilink) # set stat down

(fortilink) # end

 

On FortiGate-VM, it can be desired to delete the FortiLink interface as well:

 

config sys interface

(interface) # delete fortilink

(interface) # end

 

Try to change the mode to Transparent mode using the following CLI commands:

 

config sys settings

(settings) # set opmode transparent

(settings) # set manageip 10.12.12.12/24

(settings) # end

 

Changing to TP mode

Done.

 

Go to System -> Settings -> NTP. Also, on the aforementioned FortiLink configuration, unset the IP address and disable all configurations related to FortiLink as shown in the screenshot below.

 

FortiLink_Disabled.png

 

Error 2: Another error that can be encountered when objects are referenced:

   

FGT # config sys settings

FGT (settings) # set opmode transparent

   Paired npu0_vlinks with up status in the same VDOM(TP mode) are not allowed
   node_check_object fail! for opmode transparent

   value parse error before 'transparent'
   Command fail. Return code -651

 

The reference can be any interface. In this case, the issue is on the vdom link. Disable the VDOM links by going to the respective link:

 

   FGT # config system interface

           edit <interface>
              set status disable

           next

         end

 

Below is the expected result without any error message:

 

FGT # config system settings

FGT (settings) # show full-configuration | grep opmode
set opmode nat

FGT (settings) # set opmode transparent

FGT (settings) # set manageip <IP address/mask>

FGT (settings) # end

 

Output: 

 

FGT # config system settings

FGT (settings) # show full-configuration | grep opmode
    set opmode transparent

FGT (settings) # end

21739
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.