Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ferdie
New Contributor

Created on ‎10-18-2014 12:46 PM

Move subinterface to a different physical interface.

Hi, I want to move VLAN subinterfaces from a 1Gbps port to a 10Gbps port. Is there a way of doing this without having to delete the existing subinterfaces and associated policies and recreating them on the new interface? Thanks, Ferdie
28276
0 Kudos
2 Solutions
ede_pfau
SuperUser
SuperUser

Created on ‎10-19-2014 06:07 AM

Hi, and welcome to the forums. You can edit the config offline and restore. For this, backup the config (without password), open it with an editor, locate the relevant interface part (in " config system interface" ). Then cut and paste the VLAN definition to a different interface. Policies are not affected by this change, they use the VLAN interface name. Finally restore the config file to the FGT. It will reboot automatically.
Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
13913
0 Kudos
journeyman
Contributor

Created on ‎10-20-2014 05:27 PM

If you can afford the outage while the unit reboots, ede's method is easy, elegant with low risk of error. The only line you need to change is

config system interface
   edit "vlan-name"
      set interface "physical-interface" # change to the new interface
   next
end
If you can't afford the reboot, then your only option is to delete all dependencies on the vlan interface, delete the interface, rebuild the interface, rebuild the dependencies. It's not a pleasant task and error prone.

View solution in original post

13913
0 Kudos
7 REPLIES 7
ede_pfau
SuperUser
SuperUser

Created on ‎10-19-2014 06:07 AM

Hi, and welcome to the forums. You can edit the config offline and restore. For this, backup the config (without password), open it with an editor, locate the relevant interface part (in " config system interface" ). Then cut and paste the VLAN definition to a different interface. Policies are not affected by this change, they use the VLAN interface name. Finally restore the config file to the FGT. It will reboot automatically.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
13914
0 Kudos
rwpatterson
Valued Contributor III
In response to ede_pfau

Created on ‎10-20-2014 06:02 AM

Technically, the answer is no. What Ede proposed actually deletes them, but you' re copying the config from your own backup and changing it offline in a editor and putting it back in. You could also delete the relevant config portions in real time and paste the new edited elements into the unit without rebooting. My two cents

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
13870
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎10-20-2014 06:24 AM

But...that would be an " open-heart operation" and you would have to watch out to make the right steps in sequence. A lot of trouble if a reboot wouldn' t cost much. Deleting all policies would start a partial downtime, then deleting the interface (maybe some DHCP as well) and rebuilding, that all will take some time. A reboot induced downtime might be shorter but would affect all users. Depends on the situation I guess.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
13870
0 Kudos
rwpatterson
Valued Contributor III
In response to ede_pfau

Created on ‎10-21-2014 06:18 PM

ede_pfau wrote:
But...that would be an " open-heart operation" and you would have to watch out to make the right steps in sequence. A lot of trouble if a reboot wouldn' t cost much. Deleting all policies would start a partial downtime, then deleting the interface (maybe some DHCP as well) and rebuilding, that all will take some time. A reboot induced downtime might be shorter but would affect all users. Depends on the situation I guess.
Being in health care (pun intended), open heart is a far easier solution for me. Only the VLAN in question is down. No other users are (or were) affected. I've done it that way several times. I guess I'm just very confident. (and very cautious!)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
13870
0 Kudos
journeyman
Contributor

Created on ‎10-20-2014 05:27 PM

If you can afford the outage while the unit reboots, ede's method is easy, elegant with low risk of error. The only line you need to change is

config system interface
   edit "vlan-name"
      set interface "physical-interface" # change to the new interface
   next
end
If you can't afford the reboot, then your only option is to delete all dependencies on the vlan interface, delete the interface, rebuild the interface, rebuild the dependencies. It's not a pleasant task and error prone.

13914
0 Kudos
Ferdie
New Contributor

Created on ‎10-20-2014 07:52 PM

Thanks for the replies.

Editing the config file is a very neat solution and much quicker than deleting and re-adding. A certain amount of downtime was expected for this operation so a reboot is not an issue.

 

Ferdie

 

13870
0 Kudos
Paul_Dean
Contributor

Created on ‎10-22-2014 01:11 AM

Deleting and recreating can be quite quick if you prepare it in advance.

 

[ul]
  • Make sure you backup the config first.
  • Copy the config sections you wish to delete into Notepad++ or similar.
  • Make a second copy - this is the copy you will edit so you can paste it back in after deleting.
  • Edit the first copy so it looks a bit like (without the '):[/ul]

    'config firewall policy

    delete <your policy #>

    end'

    [ul]
  • Do this for each section you want to delete. Pay special attention to the order. You can't delete a VLAN interface if a policy references it for example.
  • Edit the first copy you made, changing the physical interface referenced in the VLAN interface config.
  • After that, it's copy and paste all the delete commands into the cli followed by the config to recreate policies etc, making sure you put the config back in the reverse order, interface, DHCP, addresses, policy etc.[/ul]

    I recommend copying and pasting one section at a time rather than a large block of config. That way it's easier to see if you have made an error/typo.

     

    If you are unsure, test it out on a spare firewall.

    • NSE4
    NSE4
    13870
    0 Kudos
    Announcements
    Check out our Community Chatter Blog! Click here to get involved
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2025 Fortinet, Inc. All Rights Reserved.