Description

This article describes an issue where users are unable to enable the stpforward option under a hardware switch in FortiGate.

Scope

FortiGate.

Solution

The following error may appear when attempting to enable stpforward under the 'internal' interface with the type set to hardware switch:

SCF-VG-01 (internal) # set stpforward enable

SCF-VG-01 (internal) # end
Cannot enable stpforward and stp on interface "internal"
object check operator error, -7, discard the setting
Command fail. Return code -7

'stpforward' allows forwarding of STP BPDUs. The interface 'internal' is of type 'hard-switch' where by default STP is enabled (which meant 'terminating' STP BPDU).

config system interface
    edit "internal"
        set vdom "root"
        set ip 172.16.1.10 255.255.255.0
        set allowaccess ping https ssh fgfm fabric
        set type hard-switch <----- The type is hardware switch.
        set stp enable<----- By default stp is enabled.
        set role lan
        set snmp-index 15
    next
end

STP must be disabled first before enabling the stpforward option. Now, it is possible to do the changes once stp is disable:

SCF-VG-01 # config sys interface
SCF-VG-01 (interface) # edit internal
SCF-VG-01 (internal) # set stp disable
SCF-VG-01 (internal) # set stpforward enable
SCF-VG-01 (internal) # end

config system interface
    edit "internal"
        set vdom "root"
        set ip 172.16.1.10 255.255.255.0
        set allowaccess ping https ssh fgfm fabric
        set stpforward enable  <----- stpforward is set as enabled.
        set type hard-switch
        set role lan
        set snmp-index 15
    next
end

Related article:

Technical Tip: STP forwarding