This article describes how to use the new interface migration wizard introduced in FortiOS v7.0 to bypass the usual limitations where VLAN interfaces configured with a large number of references take a lot of time to migrate from one interface to another. This is because every reference has to be moved individually.

The interface migration wizard migrates the references from a physical interface to either an aggregate interface, a redundant interface, or a software switch, but is disabled for VLAN interfaces by default. This article describes how to migrate the VLAN interfaces along with references from the Parent Interface to the FortiLink interface.

Notes:

This feature does not support turning an aggregate, software switch, redundant, zone, or SD-WAN zone interface back into a physical interface.

Migration is not supported if the physical or VLAN interface is used in a tunnel configuration (IPsec or SSL VPN).

FortiGate is configured with 3 VLANs (Vlan60, Vlan80, and Vlan100), and all VLANs are configured under interface port17. All VLANs have some references used for Policies, Address Objects, Static routes, or VIPs.

Warning:

Take a config backup of the FortiGate before migrating the interfaces, and schedule the changes during a Maintenance window. Avoid accessing the FortiGate with the same interface to avoid being locked out.

For individual VLAN Interfaces, the option to integrate the interface is disabled.

However, the Parent Interface (port17) has the option to be migrated. Migrating this parent interface will migrate all of the child VLAN interfaces to the desired FortiLink interface or any other aggregate interfaces, redundant interfaces, or software switches.

Select Migrate to Interface and select 'Next'.

Select the target interface. In this example, 'fortilink' is selected. After, select 'Next'.

Review the objects to be migrated. In this example, all three VLANs are listed. After, select 'Apply' and then 'OK'.

Entries will be successfully updated, meaning it will be time to close the wizard and verify the migrated objects.

 
As shown, all three VLANs were successfully migrated under FortiLink with all references.

 
If the old Parent interface (port17) is no longer required to be a part of FortiLink, it can be removed by selecting the cross button and selecting 'OK'. After this, port17 can be used for any other purpose.

Integrate Interface Wizard returns 'Failed to update'.

The Integrate Interface Wizard does not support all possible configuration migrations. If a migration fails, the following information can be collected for TAC to investigate:

1. Enable the CLI debug before running the wizard.

diagnose debug reset
diagnose debug cli 7
diagnose debug enable

2. Initiate the Integrate Interface wizard. Once the wizard fails and the error is displayed, navigate back to the CLI to disable the debug.

diagnose debug disable
diagnose debug reset

3. The following output should be collected for the interface and any child interfaces, and uploaded to the support ticket along with the debug from step 1.

    

diagnose sys cmdb refcnt show system.interface.name <physical_interface>
diagnose sys cmdb refcnt show system.interface.name <VLAN01>
diagnose sys cmdb refcnt show system.interface.name <VLAN02>

Note:

To migrate individual VLAN interfaces instead of all, refer to the article Technical Tip: Transfer/Migrate VLAN to another interface (existing or new).

If this technique is being used to migrate an in-production physical interface and child VLANs to a FortiLink, and the physical interface is currently attached to a 3rd party switch, traffic will stop flowing to this switch. This is because the FortiLink interface at its core functions is an IEEE LACP aggregate, and this type of link is used to interconnect only 2 devices.

Related document:

• Interface migration wizard