Move subinterface to a different physical interface.

Ferdie · ‎10-18-2014

Hi, I want to move VLAN subinterfaces from a 1Gbps port to a 10Gbps port. Is there a way of doing this without having to delete the existing subinterfaces and associated policies and recreating them on the new interface? Thanks, Ferdie

ede_pfau · ‎10-19-2014

Hi, and welcome to the forums. You can edit the config offline and restore. For this, backup the config (without password), open it with an editor, locate the relevant interface part (in " config system interface" ). Then cut and paste the VLAN definition to a different interface. Policies are not affected by this change, they use the VLAN interface name. Finally restore the config file to the FGT. It will reboot automatically.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

journeyman · ‎10-20-2014

If you can afford the outage while the unit reboots, ede's method is easy, elegant with low risk of error. The only line you need to change is

config system interface
   edit "vlan-name"
      set interface "physical-interface" # change to the new interface
   next
end

If you can't afford the reboot, then your only option is to delete all dependencies on the vlan interface, delete the interface, rebuild the interface, rebuild the dependencies. It's not a pleasant task and error prone.

View solution in original post

ede_pfau · ‎10-19-2014

Hi, and welcome to the forums. You can edit the config offline and restore. For this, backup the config (without password), open it with an editor, locate the relevant interface part (in " config system interface" ). Then cut and paste the VLAN definition to a different interface. Policies are not affected by this change, they use the VLAN interface name. Finally restore the config file to the FGT. It will reboot automatically.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

rwpatterson · ‎10-20-2014

Technically, the answer is no. What Ede proposed actually deletes them, but you' re copying the config from your own backup and changing it offline in a editor and putting it back in. You could also delete the relevant config portions in real time and paste the new edited elements into the unit without rebooting. My two cents

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau · ‎10-20-2014

But...that would be an " open-heart operation" and you would have to watch out to make the right steps in sequence. A lot of trouble if a reboot wouldn' t cost much. Deleting all policies would start a partial downtime, then deleting the interface (maybe some DHCP as well) and rebuilding, that all will take some time. A reboot induced downtime might be shorter but would affect all users. Depends on the situation I guess.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

rwpatterson · ‎10-21-2014

ede_pfau wrote:
But...that would be an " open-heart operation" and you would have to watch out to make the right steps in sequence. A lot of trouble if a reboot wouldn' t cost much. Deleting all policies would start a partial downtime, then deleting the interface (maybe some DHCP as well) and rebuilding, that all will take some time. A reboot induced downtime might be shorter but would affect all users. Depends on the situation I guess.

Being in health care (pun intended), open heart is a far easier solution for me. Only the VLAN in question is down. No other users are (or were) affected. I've done it that way several times. I guess I'm just very confident. (and very cautious!)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

journeyman · ‎10-20-2014

If you can afford the outage while the unit reboots, ede's method is easy, elegant with low risk of error. The only line you need to change is

config system interface
   edit "vlan-name"
      set interface "physical-interface" # change to the new interface
   next
end

If you can't afford the reboot, then your only option is to delete all dependencies on the vlan interface, delete the interface, rebuild the interface, rebuild the dependencies. It's not a pleasant task and error prone.

Ferdie · ‎10-20-2014

Thanks for the replies.

Editing the config file is a very neat solution and much quicker than deleting and re-adding. A certain amount of downtime was expected for this operation so a reboot is not an issue.

Ferdie

Paul_Dean · ‎10-22-2014

Deleting and recreating can be quite quick if you prepare it in advance.

[ul]

Make sure you backup the config first.

Copy the config sections you wish to delete into Notepad++ or similar.

Make a second copy - this is the copy you will edit so you can paste it back in after deleting.

Edit the first copy so it looks a bit like (without the '):[/ul]

'config firewall policy

delete <your policy #>

end'

[ul]

Do this for each section you want to delete. Pay special attention to the order. You can't delete a VLAN interface if a policy references it for example.

Edit the first copy you made, changing the physical interface referenced in the VLAN interface config.

After that, it's copy and paste all the delete commands into the cli followed by the config to recreate policies etc, making sure you put the config back in the reverse order, interface, DHCP, addresses, policy etc.[/ul]

I recommend copying and pasting one section at a time rather than a large block of config. That way it's easier to see if you have made an error/typo.

If you are unsure, test it out on a spare firewall.

NSE4